I believe it's the same as a conversation between your web browser and
Apache. When Apache makes a request of Tomcat, it uses the first available
port on the local machine to open a connection to Tomcat. In a linux box,
check /proc/sys/net/ipv4/ip_local_port_range for the range of available
ports. Tomcat will reply back on the same port. If you really want firewall
security that tight, you might want to check into stateful inspection on the
Apache server. There, the ports are opened based on outgoing requests and
closed when the connection is closed. I believe iptables supports this
using the state match extension module, but you'll have to check the docs
since I've never tried it.
My thoughts on the subject -- anyone else?
--David Smith
On Wednesday 12 September 2001 05:32 pm, you wrote:
> Hello,
>
> I'm setting a pair of machines, one of which is running tomcat, and the
> other of which is running apache. I am using ajp13 to connect the two
> machines, and am trying to configure an iptables firewall on the apache
> machine (the tomcat machine will be next).
>
> The roadblock that I'm running into is that I don't know which ports
> will be used as the destination ports on the apache machine when tomcat
> replies. The ports that I set up in server.xml and in
> workers.properties are the source of my replies...
>
> Looking at my syslog log file, I see that I'm getting information sent
> to ports 32769 up through 32792 (and maybe even more, I haven't looked
> through them that much yet). An example line is included below:
>
> Sep 12 11:42:51 web1 kernel: INT_IN DROP 7 IN=eth1
> OUT=MAC=00:30:48:11:69:a8:00:b0:d0:e1:cc:0f:08:00 SRC=192.168.1.32
> DST=192.168.1.21 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
> SPT=8011 DPT=32794 WINDOW=5792 RES=0x00 ACK SYN URGP=0
>
> Where is this port configured (if it's configurable)? Or, does anyone
> know which ports I need to be leaving open?
>
> Thanks very much for any help!
>
> Sincerely,
>
> Scott
