tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dieter Schicker <dieter.schic...@uni-graz.at>
Subject Re: tomcat iptables problem
Date Wed, 03 Oct 2007 14:31:34 GMT
Sorry, of course the "accept bla bla" goes into a separate line!

Dieter Schicker wrote:
> Thanks a lot for all your valuable answers! Unfortunately none of them 
> helped me.
> Let me give you an example of this strange behavior (tomcat starting 
> very slowly [>3min.]).
>
> iptables Ruleset:
>
> -----------------------------------------------------
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> accept bla bla
> accept bla bla
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination        accept bla 
> bla
> accept bla bla
>
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination    accept bla bla
> accept bla bla
> -----------------------------------------------------
>
> => Tomcat starts slowly.
>
> Then I do the following:
>
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
>
> So I get:
>
> -----------------------------------------------------
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination       
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination       
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> -----------------------------------------------------
>
> => Tomcat still (!!!) starts slowly! (Why???)
>
> Only when I restart the whole Debian machine and do not start the 
> firewall tomcat starts fast.
>
> The system is Debian 4.0 with a 2.6.18-4-xen-amd64 kernel and
> apache-tomcat-5.5.23 (same behavior with apache-tomcat-6.0.14).
>
> Any suggestions?
>
> Many thanks in advance
> Dieter
>
>
>
>
>
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Dieter,
>>
>> Dieter Schicker wrote:
>>  
>>> Now I set up an iptables firewall (with fwbuilder) with the following
>>> open ports:
>>> 8080 (http), 8005 (shutdown?), 8009 (ajp connector) and all lo traffic
>>> is allowed.
>>>     
>>
>> What about outgoing allowed ports?
>>
>>  
>>> With this configuration I have the following behavior: Tomcat needs 3
>>> minutes to shut down and another 3 minutes to start up again. If it 
>>> runs
>>> it runs perfectly ...
>>>     
>>
>> I'm not sure about shutdown, but if your server (or application) is
>> configured to use, say, an XML document with a SYSTEM ID that points to
>> an outside URL (for instance: http://java.sun.com/dtd/web-app_2_3.dtd),
>> the XML parser might be attempting to access that URL. If your firewall
>> is preventing outgoing HTTP connections (good old port 80), it might
>> waste a lot of time re-trying before it finally gives up and reads
>> non-validated XML).
>>
>> I would change your iptables configuration to set all outgoing rejected
>> requests to LOG as well as reject, and then you can watch the iptables
>> log (usually the "kernel" log on Debian IIRC) for requests to foreign
>> hosts on port 80.
>>
>> Hope that helps,
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFHAsQE9CaO5/Lv0PARAkrSAKCa6D0xMiG6zo4SdP5r3FVbEN30+ACgonNN
>> UuRz6pB8z+UUciozFLGv3eY=
>> =N69G
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>   
>
>
> Dieter Schicker
> INIG - Department of Information Processing in the Humanities
> Karl Franzens University of Graz
> Merangasse 70
> A-8020 Graz
> Tel.: +43 316 380 8012
> http://www-gewi.uni-graz.at/inig/


Dieter Schicker
INIG - Department of Information Processing in the Humanities
Karl Franzens University of Graz
Merangasse 70
A-8020 Graz
Tel.: +43 316 380 8012
http://www-gewi.uni-graz.at/inig/
-- 
Student of Computer Science
Graz University of Technology
schicker@student.tugraz.at


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message