On Fri, 7 Sep 2001, Joe Pearse wrote:
> Date: Fri, 07 Sep 2001 17:19:23 -0700
> From: Joe Pearse <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: Specify outbound port on tomcat
>
> That's just it, though. Take the firewall out of the equation, and the
> application works fine. I understand that the destination port is what
> matters, and it does; you're right about that. Let me describe a scenario,
> to see if this helps explain the problem.
>
> I'm running tomcat + application at location A, you're running the same
> application + tomcat at location B.
>
> Scenario 1) You, site B, have no firewall restrictions. I, site A, send
> you, site B a message to port 443. Application does its thing, and sends a
> confirmation message, on _your_ local port, between 1024-5000. The
> destination is port 443 of site A. I receive the confirmation, and everyone
> is happy.
In other words, the app on B is making its *own* URLConnection back to A?
If so, why? I've been assuming that B just does it's thing and returns
its response to the client on the same connection.
>
> Scenario 2) Now, your new security guru puts the clamps down on all
> outbound ports at site B. Taking the same scenario as 1), all works fine
> UNTIL you, site B, tries to send the response. Because all outbound ports
> have been blocked, the message does not get back to site A.
>
We may be hopelessly mired in semantics here, but ...
>From the perspective of host B, the call from host A would seem to be an
*inbound* connection. The way HTTP works, the response (from B back to A)
is returned on the very same connection -- there is never a need for B to
make an *outbound* connection for this purpose.
What it sounds like you are describing is a firewall configuration that:
* Allows an inbound connection (from host A port xxxx) to port 443
* Allows data to be *read* from that connection
* Does *not* allow data to be written to that very same connection
which seems pretty non-sensical.
> Having said all that (sorry so long), at site B, you convince your security
> guy to open ports 2000-2005 (for example). What can I alter to guarantee
> that messages will be sent out on these ports? Thanks again for your help.
>
If there is, it would have to be a property of java.net.URLConnection --
or, more likely, of java.net.Socket underneath it. And, judging from the
Javadocs, there does ot seem to be such a thing.
After all this, its kinda sorta off topic :-).
Craig
>
> >From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: <[EMAIL PROTECTED]>
> >Subject: Re: Specify outbound port on tomcat
> >Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT)
> >
> >
> >
> >On Fri, 7 Sep 2001, Joe Pearse wrote:
> >
> > > Date: Fri, 07 Sep 2001 16:49:09 -0700
> > > From: Joe Pearse <[EMAIL PROTECTED]>
> > > Reply-To: [EMAIL PROTECTED]
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Specify outbound port on tomcat
> > >
> > > The application itself is generating the message being sent out. In the
> > > basic sense, a browser is not involved. For example, information is
> > > received on port 443, and processed by the application. From that, a
> > > java.net.URL object is created, and the message is fired off to the
> > > specified client URL. When firing off the message, the outbound port
> > > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I
> >can
> > > restrict it.
> >
> >OK, to make an outbound connection, you definitely need a port on the
> >local server. But what matters to a firewall is the port on the
> >*destination* of that connection, not the *origin*. What port number on
> >the client are you sending to? In order for things to work, *this* is the
> >port number your firewall has to allow through (assuming that the client
> >is on the other side of it, of course).
> >
> >Which, of course, raises the question of why do this anyway, when you can
> >simply return data in the HTTP response to the request you are processing,
> >but that's a different question.
> >
> >Craig
> >
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
