That's just it, though. Take the firewall out of the equation, and the
application works fine. I understand that the destination port is what
matters, and it does; you're right about that. Let me describe a scenario,
to see if this helps explain the problem.
I'm running tomcat + application at location A, you're running the same
application + tomcat at location B.
Scenario 1) You, site B, have no firewall restrictions. I, site A, send
you, site B a message to port 443. Application does its thing, and sends a
confirmation message, on _your_ local port, between 1024-5000. The
destination is port 443 of site A. I receive the confirmation, and everyone
is happy.
Scenario 2) Now, your new security guru puts the clamps down on all
outbound ports at site B. Taking the same scenario as 1), all works fine
UNTIL you, site B, tries to send the response. Because all outbound ports
have been blocked, the message does not get back to site A.
Having said all that (sorry so long), at site B, you convince your security
guy to open ports 2000-2005 (for example). What can I alter to guarantee
that messages will be sent out on these ports? Thanks again for your help.
>From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: <[EMAIL PROTECTED]>
>Subject: Re: Specify outbound port on tomcat
>Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT)
>
>
>
>On Fri, 7 Sep 2001, Joe Pearse wrote:
>
> > Date: Fri, 07 Sep 2001 16:49:09 -0700
> > From: Joe Pearse <[EMAIL PROTECTED]>
> > Reply-To: [EMAIL PROTECTED]
> > To: [EMAIL PROTECTED]
> > Subject: Re: Specify outbound port on tomcat
> >
> > The application itself is generating the message being sent out. In the
> > basic sense, a browser is not involved. For example, information is
> > received on port 443, and processed by the application. From that, a
> > java.net.URL object is created, and the message is fired off to the
> > specified client URL. When firing off the message, the outbound port
> > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I
>can
> > restrict it.
>
>OK, to make an outbound connection, you definitely need a port on the
>local server. But what matters to a firewall is the port on the
>*destination* of that connection, not the *origin*. What port number on
>the client are you sending to? In order for things to work, *this* is the
>port number your firewall has to allow through (assuming that the client
>is on the other side of it, of course).
>
>Which, of course, raises the question of why do this anyway, when you can
>simply return data in the HTTP response to the request you are processing,
>but that's a different question.
>
>Craig
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
