Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates
 212.85.38.229 as permitted sender)
Message-ID: <52DFF321.3030304@ice-sa.com>
Date: Wed, 22 Jan 2014 17:34:41 +0100
From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= <aw@ice-sa.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: [OT] RE: Cannot connect from outside using Tomcat 7/APR/SSL on
 AWS Windows system
References: <000f01cf177a$aebb6780$0c323680$@apache.org>
 <52DFE057.3090602@christopherschultz.net>
In-Reply-To: <52DFE057.3090602@christopherschultz.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Konstantin,
> 
> On 1/22/14, 9:03 AM, Konstantin Preißer wrote:
>> Hi Jeffrey,
>>
>>> -----Original Message----- From: Jeffrey Janner
>>> [mailto:Jeffrey.Janner@PolyDyne.com] Sent: Tuesday, January 21,
>>> 2014 10:19 PM
>>> Eureka, I finally figured it out! It was a real eureka moment,
>>> some remembrance burned its way up from my subconscious and I had
>>> the answer. Ready guys?  Really surprised no one mentioned it. It
>>> was Windows F-ing Firewall!!!!!
>> Good to hear that you could find and solve the problem.
>>
>> (Off topic:)
>>
>>> I HATE WINDOWS!!!!!!
>> What I can't quite understand is, how one can "hate" Windows or its
>> "F-ing" firewall, if they just do what they were configured to
>> do...     ;-)
>>
>> When setting up the Windows Firewall, I normally only create rules
>> for specific (TCP) ports, not for specific executables, so that the
>> firewall allows connections to a TCP port regardless of what the
>> name or path of the executable is.
> 
> Actually, as surprising as it can sometimes be, I find that the
> Windows firewall is better than iptables *because* it /can/ do things
> like this. You can make your system a bit safer.
> 
> For instance, if your server is compromised (yes, I know, once you're
> owned, you're owned) and the attacker installs some malware of some
> kind, that malware will not be able to bind to a port or even make
> outgoing connections, even on "standard" outgoing ports -- for
> instance HTTP.
> 
> Lots of malware connects to external C&C servers to give instructions,
> and the Windows wirewall makes it easy to prevent that from happening
> even when ports like 80 are used -- and typically left wide-open on
> servers.
> 

Of course, one could argue that the Windows Firewall needs to offer this, because it is 
inherently easier to infect with malware a Windows server than a Linux server.
So it needs to compensate somehow..

;-)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org