tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: tomcat iptables problem
Date Tue, 02 Oct 2007 22:19:48 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dieter,

Dieter Schicker wrote:
> Now I set up an iptables firewall (with fwbuilder) with the following
> open ports:
> 8080 (http), 8005 (shutdown?), 8009 (ajp connector) and all lo traffic
> is allowed.

What about outgoing allowed ports?

> With this configuration I have the following behavior: Tomcat needs 3
> minutes to shut down and another 3 minutes to start up again. If it runs
> it runs perfectly ...

I'm not sure about shutdown, but if your server (or application) is
configured to use, say, an XML document with a SYSTEM ID that points to
an outside URL (for instance: http://java.sun.com/dtd/web-app_2_3.dtd),
the XML parser might be attempting to access that URL. If your firewall
is preventing outgoing HTTP connections (good old port 80), it might
waste a lot of time re-trying before it finally gives up and reads
non-validated XML).

I would change your iptables configuration to set all outgoing rejected
requests to LOG as well as reject, and then you can watch the iptables
log (usually the "kernel" log on Debian IIRC) for requests to foreign
hosts on port 80.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHAsQE9CaO5/Lv0PARAkrSAKCa6D0xMiG6zo4SdP5r3FVbEN30+ACgonNN
UuRz6pB8z+UUciozFLGv3eY=
=N69G
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message