Hi Omar, wouldn't it be possible to just create an iptable rule that allows access to 1098 only from localhost? I don't think you can open a socket just for localhost programmatically (at least not from Java).
Best, Arvid On Tue, May 12, 2020 at 12:51 PM Omar Gawi <omar.g...@gmail.com> wrote: > Hi All, > > I have Apache Flink running as part of our java program , on a linux > machine. > The Flink runs on thread(s) within the same java process. > I see that the machine has the BLOB server port 1098 exposed to the > outside : > > davc@sdavc:~$ netstat -anp | grep LISTEN > > (Not all processes could be identified, non-owned process info > > will not be shown, you would have to be root to see it all.) > > tcp 0 0 0.0.0.0:22 0.0.0.0:* > LISTEN - > > tcp 0 0 127.0.0.1:5432 0.0.0.0:* > LISTEN 311/postgres > > tcp6 0 0 :::8080 :::* > LISTEN - > > tcp6 0 0 :::21 :::* > LISTEN - > > tcp6 0 0 :::22 :::* > LISTEN - > > tcp6 0 0 ::1:5432 :::* > LISTEN 311/postgres > > tcp6 0 0 :::8443 :::* > LISTEN - > *tcp6 0 0 :::1098 :::* > LISTEN -* > > > This bring to our team security concerns , when other external user/system > open connection (for telnet or other protocols) to this port > (accidentally or not), we get below error in the java app log: > > 2020-04-23 07:54:58 ERROR BlobServerConnection:131 - Error while executing > BLOB connection. > > java.io.IOException: Unknown operation 3 > > at > org.apache.flink.runtime.blob.BlobServerConnection.run(BlobServerConnection.java:122) > > > My question if is there a way to avoid exposing this port to the outside, > and keep it available only for it's original purpose : serving the > localhost/127.0.0.1 requests which come from the flink engine. > > > Thank you and stay safe. > > Omar > -- Arvid Heise | Senior Java Developer <https://www.ververica.com/> Follow us @VervericaData -- Join Flink Forward <https://flink-forward.org/> - The Apache Flink Conference Stream Processing | Event Driven | Real Time -- Ververica GmbH | Invalidenstrasse 115, 10115 Berlin, Germany -- Ververica GmbH Registered at Amtsgericht Charlottenburg: HRB 158244 B Managing Directors: Timothy Alexander Steinert, Yip Park Tung Jason, Ji (Toni) Cheng
