It seems like to me the solution to the problem is to tweak the firewall
rules. If a site is a host. Then, you can just create a rule that allows
host A and B to communicate. You could set it up so that outgoing
connections from host A are permitted/restricted to host B on port 443.
Assuming it's a stateful firewall, the firewall will keep track of things.
So, if host A binds to local port 4000 (or whatever other random port number
the TCP stack chooses) and connects to host B on destination port 443, the
firewall sees this and dynamically generates a rule that allows packets that
have the opposite values to flow through. The key is that you need a
stateful firewall. I would assume that most standalone firewalls, if that is
what you're using, are.
Jon
----- Original Message -----
From: "Joe Pearse" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 07, 2001 7:19 PM
Subject: Re: Specify outbound port on tomcat
> That's just it, though. Take the firewall out of the equation, and the
> application works fine. I understand that the destination port is what
> matters, and it does; you're right about that. Let me describe a
scenario,
> to see if this helps explain the problem.
>
> I'm running tomcat + application at location A, you're running the same
> application + tomcat at location B.
>
> Scenario 1) You, site B, have no firewall restrictions. I, site A, send
> you, site B a message to port 443. Application does its thing, and sends
a
> confirmation message, on _your_ local port, between 1024-5000. The
> destination is port 443 of site A. I receive the confirmation, and
everyone
> is happy.
>
> Scenario 2) Now, your new security guru puts the clamps down on all
> outbound ports at site B. Taking the same scenario as 1), all works fine
> UNTIL you, site B, tries to send the response. Because all outbound ports
> have been blocked, the message does not get back to site A.
>
> Having said all that (sorry so long), at site B, you convince your
security
> guy to open ports 2000-2005 (for example). What can I alter to guarantee
> that messages will be sent out on these ports? Thanks again for your
help.
>
>
> >From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: <[EMAIL PROTECTED]>
> >Subject: Re: Specify outbound port on tomcat
> >Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT)
> >
> >
> >
> >On Fri, 7 Sep 2001, Joe Pearse wrote:
> >
> > > Date: Fri, 07 Sep 2001 16:49:09 -0700
> > > From: Joe Pearse <[EMAIL PROTECTED]>
> > > Reply-To: [EMAIL PROTECTED]
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Specify outbound port on tomcat
> > >
> > > The application itself is generating the message being sent out. In
the
> > > basic sense, a browser is not involved. For example, information is
> > > received on port 443, and processed by the application. From that, a
> > > java.net.URL object is created, and the message is fired off to the
> > > specified client URL. When firing off the message, the outbound port
> > > (1024-5000) is chosen, and I'm not sure what chooses the port, and if
I
> >can
> > > restrict it.
> >
> >OK, to make an outbound connection, you definitely need a port on the
> >local server. But what matters to a firewall is the port on the
> >*destination* of that connection, not the *origin*. What port number on
> >the client are you sending to? In order for things to work, *this* is
the
> >port number your firewall has to allow through (assuming that the client
> >is on the other side of it, of course).
> >
> >Which, of course, raises the question of why do this anyway, when you can
> >simply return data in the HTTP response to the request you are
processing,
> >but that's a different question.
> >
> >Craig
> >
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
