If you look at how the Apache multi-processing models are implemented (i.e., multi-process and multi-threaded) you will find that there is a process/thread that listens on port 80 (or whatever port you configure for your server). When a connection arrives, it hands that connection off to another process or thread on a different to port to handle the client requests. That master process/thread then immediately goes back to listening on its port.
You could utilize the same approach with your monitoring application. You could have a master process or thread that handles spawning handler process or threads for each inbound request. In an instance like that, normal connection tracking mechanisms will then handle the rest. Regards, -Roberto On Tue, Jul 09, 2013 at 11:02:21AM +0800, Steve Wray wrote: > As there are so many servers being monitored and the server check > application has to run individually for each one it can't just listen on > one port; each instance of the server check application has to listen on > its own port. It tells the monitored server which port to connect back to. > I guess in this respect its similar to active FTP (which is a pain to > firewall). > > On 9 July 2013 09:58, Roberto C. S�nchez <[1][email protected]> wrote: > > On Tue, Jul 09, 2013 at 09:36:07AM +0800, Steve Wray wrote: > > � �I have a firewall problem. > > � �Our developers produced an application which I need to use for > monitoring. > > � �The application makes an outgoing connection to one of our servers > on port > > � �443. This server then makes a TCP connection back to the > application on > > � �the monitoring server on a random high port. > > � �I'd like to put a firewall on the monitoring server but this is > making it > > � �difficult. There are about 100 servers being monitored and we > change their > > � �IP addresses often, I don't want to create a blanket 'ALLOW' rule > for each > > � �of them. > > � �Does anyone have any suggestions? > > � �Is it possible to allow incoming connections to a specific > application? > > It sounds like a rather cumbersome application design. �What about > chosing a fixed port for the monitoring server to listen on? �If that > won't work, I suggest looking at how active FTP firewall traversal is > handled (i.e., an application gateway). > > Regards, > > -Roberto > -- > Roberto C. S�nchez > [2]http://people.connexer.com/~roberto > [3]http://www.connexer.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQIcBAEBCAAGBQJR224hAAoJECzXeF7dp7IPb9MP/0HcJLU6mBq5Wzv4gtabihSA > DOJ6lD34Oa0prYuuEiqUQmDmZWfKArhj70hfBHQ6TCVZ6F1b4BkV6QxCok7tF8fy > Pw1sb5XzTO2Q1WSfxyJ4Cl2hjiQN10+BIdQt3nSS/cPGNpHakbsWfJZUA23SLBi4 > baa4+4AmDyAbD/Tgih2MFWjbg04CuZhoUd6bXrJ/i1Ih+PIOrEL39sUtR4wwGRjv > ONNEU0abHfYyAeUIEWDgO7ItEVpEpTVhH/fsyhhKvTyQU7Wk/8R/aNyq9sJZhInh > t9VqyewfrCwW2VpJ+nhf7OSeFMY7ssse2gwimutLTzuSa33RNzSTacbBbCHBpmsv > S4+fxfA0gS3TFejnnshpKRVXg51Tlqg0zqAV65Oh4A0I0liFVy39/I+gpsfOBSET > fXpu7lDK4fjDkgelTuNOJyc5bLLUgAtfbQwibDpd/bw3yfBGdYfUVa8UFW1dZ26K > eQ9+z0FgDa/NgzrFO2CiVo9mMSwNJADjCA2vJBaHpqUWKJpnBib4wXhyJVebZWeO > U0TbgnbB4on6Pykuu3yVMZl9RN4Z7KDdRbw1CEW3BhPabnYVfxS9/1XAwMeyTnc7 > AxG+YSa/TrKR7UpFFocVmz9lzCVYAXoGC/eghz3y2ZxGSJ5oJdlUEtxCfPUEy3KN > wQy0oQIXY/JRm9GWg+s+ > =hUpa > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > > [4]http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > [5][email protected] > [6]https://lists.sourceforge.net/lists/listinfo/shorewall-users > > References > > Visible links > 1. mailto:[email protected] > 2. http://people.connexer.com/~roberto > 3. http://www.connexer.com/ > 4. > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > 5. mailto:[email protected] > 6. https://lists.sourceforge.net/lists/listinfo/shorewall-users > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
