Re: Specify outbound port on tomcat
It seems like to me the solution to the problem is to tweak the firewall rules. If a site is a host. Then, you can just create a rule that allows host A and B to communicate. You could set it up so that outgoing connections from host A are permitted/restricted to host B on port 443. Assuming it's a stateful firewall, the firewall will keep track of things. So, if host A binds to local port 4000 (or whatever other random port number the TCP stack chooses) and connects to host B on destination port 443, the firewall sees this and dynamically generates a rule that allows packets that have the opposite values to flow through. The key is that you need a stateful firewall. I would assume that most standalone firewalls, if that is what you're using, are. Jon - Original Message - From: "Joe Pearse" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 07, 2001 7:19 PM Subject: Re: Specify outbound port on tomcat > That's just it, though. Take the firewall out of the equation, and the > application works fine. I understand that the destination port is what > matters, and it does; you're right about that. Let me describe a scenario, > to see if this helps explain the problem. > > I'm running tomcat + application at location A, you're running the same > application + tomcat at location B. > > Scenario 1) You, site B, have no firewall restrictions. I, site A, send > you, site B a message to port 443. Application does its thing, and sends a > confirmation message, on _your_ local port, between 1024-5000. The > destination is port 443 of site A. I receive the confirmation, and everyone > is happy. > > Scenario 2) Now, your new security guru puts the clamps down on all > outbound ports at site B. Taking the same scenario as 1), all works fine > UNTIL you, site B, tries to send the response. Because all outbound ports > have been blocked, the message does not get back to site A. > > Having said all that (sorry so long), at site B, you convince your security > guy to open ports 2000-2005 (for example). What can I alter to guarantee > that messages will be sent out on these ports? Thanks again for your help. > > > >From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: <[EMAIL PROTECTED]> > >Subject: Re: Specify outbound port on tomcat > >Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT) > > > > > > > >On Fri, 7 Sep 2001, Joe Pearse wrote: > > > > > Date: Fri, 07 Sep 2001 16:49:09 -0700 > > > From: Joe Pearse <[EMAIL PROTECTED]> > > > Reply-To: [EMAIL PROTECTED] > > > To: [EMAIL PROTECTED] > > > Subject: Re: Specify outbound port on tomcat > > > > > > The application itself is generating the message being sent out. In the > > > basic sense, a browser is not involved. For example, information is > > > received on port 443, and processed by the application. From that, a > > > java.net.URL object is created, and the message is fired off to the > > > specified client URL. When firing off the message, the outbound port > > > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I > >can > > > restrict it. > > > >OK, to make an outbound connection, you definitely need a port on the > >local server. But what matters to a firewall is the port on the > >*destination* of that connection, not the *origin*. What port number on > >the client are you sending to? In order for things to work, *this* is the > >port number your firewall has to allow through (assuming that the client > >is on the other side of it, of course). > > > >Which, of course, raises the question of why do this anyway, when you can > >simply return data in the HTTP response to the request you are processing, > >but that's a different question. > > > >Craig > > > > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp >
Re: Specify outbound port on tomcat
On Fri, 7 Sep 2001, Joe Pearse wrote: > Date: Fri, 07 Sep 2001 17:19:23 -0700 > From: Joe Pearse <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: Specify outbound port on tomcat > > That's just it, though. Take the firewall out of the equation, and the > application works fine. I understand that the destination port is what > matters, and it does; you're right about that. Let me describe a scenario, > to see if this helps explain the problem. > > I'm running tomcat + application at location A, you're running the same > application + tomcat at location B. > > Scenario 1) You, site B, have no firewall restrictions. I, site A, send > you, site B a message to port 443. Application does its thing, and sends a > confirmation message, on _your_ local port, between 1024-5000. The > destination is port 443 of site A. I receive the confirmation, and everyone > is happy. In other words, the app on B is making its *own* URLConnection back to A? If so, why? I've been assuming that B just does it's thing and returns its response to the client on the same connection. > > Scenario 2) Now, your new security guru puts the clamps down on all > outbound ports at site B. Taking the same scenario as 1), all works fine > UNTIL you, site B, tries to send the response. Because all outbound ports > have been blocked, the message does not get back to site A. > We may be hopelessly mired in semantics here, but ... >From the perspective of host B, the call from host A would seem to be an *inbound* connection. The way HTTP works, the response (from B back to A) is returned on the very same connection -- there is never a need for B to make an *outbound* connection for this purpose. What it sounds like you are describing is a firewall configuration that: * Allows an inbound connection (from host A port ) to port 443 * Allows data to be *read* from that connection * Does *not* allow data to be written to that very same connection which seems pretty non-sensical. > Having said all that (sorry so long), at site B, you convince your security > guy to open ports 2000-2005 (for example). What can I alter to guarantee > that messages will be sent out on these ports? Thanks again for your help. > If there is, it would have to be a property of java.net.URLConnection -- or, more likely, of java.net.Socket underneath it. And, judging from the Javadocs, there does ot seem to be such a thing. After all this, its kinda sorta off topic :-). Craig > > >From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: <[EMAIL PROTECTED]> > >Subject: Re: Specify outbound port on tomcat > >Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT) > > > > > > > >On Fri, 7 Sep 2001, Joe Pearse wrote: > > > > > Date: Fri, 07 Sep 2001 16:49:09 -0700 > > > From: Joe Pearse <[EMAIL PROTECTED]> > > > Reply-To: [EMAIL PROTECTED] > > > To: [EMAIL PROTECTED] > > > Subject: Re: Specify outbound port on tomcat > > > > > > The application itself is generating the message being sent out. In the > > > basic sense, a browser is not involved. For example, information is > > > received on port 443, and processed by the application. From that, a > > > java.net.URL object is created, and the message is fired off to the > > > specified client URL. When firing off the message, the outbound port > > > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I > >can > > > restrict it. > > > >OK, to make an outbound connection, you definitely need a port on the > >local server. But what matters to a firewall is the port on the > >*destination* of that connection, not the *origin*. What port number on > >the client are you sending to? In order for things to work, *this* is the > >port number your firewall has to allow through (assuming that the client > >is on the other side of it, of course). > > > >Which, of course, raises the question of why do this anyway, when you can > >simply return data in the HTTP response to the request you are processing, > >but that's a different question. > > > >Craig > > > > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > >
Re: Specify outbound port on tomcat
Hi. I might be out of my league here, but here's my two cents: How do you instantiate the java.net.url object? Several of the constructors allow the port to be entered. What is the protocol you are using on this port? >From the JavaDocs: "A URL can optionally specify a "port", which is the port number to which the TCP connection is made on the remote host machine. If the port is not specified, the default port for the protocol is used instead. For example, the default port for http is 80." cheers. pete. - Original Message - From: "Joe Pearse" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 07, 2001 5:19 PM Subject: Re: Specify outbound port on tomcat > That's just it, though. Take the firewall out of the equation, and the > application works fine. I understand that the destination port is what > matters, and it does; you're right about that. Let me describe a scenario, > to see if this helps explain the problem. > > I'm running tomcat + application at location A, you're running the same > application + tomcat at location B. > > Scenario 1) You, site B, have no firewall restrictions. I, site A, send > you, site B a message to port 443. Application does its thing, and sends a > confirmation message, on _your_ local port, between 1024-5000. The > destination is port 443 of site A. I receive the confirmation, and everyone > is happy. > > Scenario 2) Now, your new security guru puts the clamps down on all > outbound ports at site B. Taking the same scenario as 1), all works fine > UNTIL you, site B, tries to send the response. Because all outbound ports > have been blocked, the message does not get back to site A. > > Having said all that (sorry so long), at site B, you convince your security > guy to open ports 2000-2005 (for example). What can I alter to guarantee > that messages will be sent out on these ports? Thanks again for your help. > > > >From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: <[EMAIL PROTECTED]> > >Subject: Re: Specify outbound port on tomcat > >Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT) > > > > > > > >On Fri, 7 Sep 2001, Joe Pearse wrote: > > > > > Date: Fri, 07 Sep 2001 16:49:09 -0700 > > > From: Joe Pearse <[EMAIL PROTECTED]> > > > Reply-To: [EMAIL PROTECTED] > > > To: [EMAIL PROTECTED] > > > Subject: Re: Specify outbound port on tomcat > > > > > > The application itself is generating the message being sent out. In the > > > basic sense, a browser is not involved. For example, information is > > > received on port 443, and processed by the application. From that, a > > > java.net.URL object is created, and the message is fired off to the > > > specified client URL. When firing off the message, the outbound port > > > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I > >can > > > restrict it. > > > >OK, to make an outbound connection, you definitely need a port on the > >local server. But what matters to a firewall is the port on the > >*destination* of that connection, not the *origin*. What port number on > >the client are you sending to? In order for things to work, *this* is the > >port number your firewall has to allow through (assuming that the client > >is on the other side of it, of course). > > > >Which, of course, raises the question of why do this anyway, when you can > >simply return data in the HTTP response to the request you are processing, > >but that's a different question. > > > >Craig > > > > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp >
Re: Specify outbound port on tomcat
"Joe Pearse" <[EMAIL PROTECTED]> wrote: > That's just it, though. Take the firewall out of the equation, and the > application works fine. I understand that the destination port is what > matters, and it does; you're right about that. Let me describe a scenario, > to see if this helps explain the problem. > > I'm running tomcat + application at location A, you're running the same > application + tomcat at location B. > > Scenario 1) You, site B, have no firewall restrictions. I, site A, send > you, site B a message to port 443. Application does its thing, and sends a > confirmation message, on _your_ local port, between 1024-5000. The > destination is port 443 of site A. I receive the confirmation, and everyone > is happy. > > Scenario 2) Now, your new security guru puts the clamps down on all > outbound ports at site B. Taking the same scenario as 1), all works fine > UNTIL you, site B, tries to send the response. Because all outbound ports > have been blocked, the message does not get back to site A. > > Having said all that (sorry so long), at site B, you convince your security > guy to open ports 2000-2005 (for example). What can I alter to guarantee > that messages will be sent out on these ports? Thanks again for your help. Yes, tipical scenario used in business process... Use the constructor I mentioned and tell the security folks to open connections on this socket: Local (B) IP:2000-2005 -> Remote (A) IP:443 And don't forget to write the appropriate outbound connection queue... Pier
Re: Specify outbound port on tomcat
"Tim O'Neil" <[EMAIL PROTECTED]> wrote: >> Tomcat (or Apache, or any other TCP based server) sends responses back on >> the same port that it received your request on (in fact, on the exact same >> connection). Is your application itself generating outbound TCP >> connections (for example, to connect to a database)? Or is the arbitrary >> port possibly the one created by your *browser* running on the same >> machine and connecting to Tomcat? > > Not true in some cases. HTTP sends its response info on the same port, > protos like ftp open another port. (Which is the reason for http being > a stateless protocol, you need to open a second port to do things like > random stream access.) Correct... Based on HTTP, for example, there's RTSP (Real Time Streaming Protocol) which use a more-or-less stateless TCP connection for "controlling" the other UDP-based streams carrying the actual data. > But that his application is wanting to open another > port has nothing to do with tomcat, or at least I doubt it. Is your app > a CORBA or JNI app by chance Joe? Joe's scenario looked a lot like a EbXML, RosettaNET, BizTalk or similar transaction, where the "action" is decoupled from the request-response model of the transport (HTTP in this case), as, as I told before, that might involve long transaction processing, human intervention, name-your-favourite... Can be solved, though! :) java.net sucks but not THAT badly! :) Pier
Re: Specify outbound port on tomcat
At 04:05 PM 9/7/2001, you wrote: >On Fri, 7 Sep 2001, Joe Pearse wrote: > > > Date: Fri, 07 Sep 2001 15:53:33 -0700 > > From: Joe Pearse <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Specify outbound port on tomcat > > > > Hi List- > > I'd like to specify what outbound ports are chosen when running my > > application. Currently, I can specify the inbound port for SSL (443) to > > receive a message. When my application responds, it (seemingly)arbitrarily > > picks a port between 1024 and (about) 5000 to send out the reply. > > My client refuses to open up their firewall between 1024 and 5000, even > > though it is for the outbound traffic only, I must specify (restrict) the > > ports used for outbound traffic. Is anyone aware if this is something that > > I could configure in Tomcat (or Apache), and if so, what is it? (If > that is > > not possible to configure, please let me know also.) Thanks for the help. > > > >Tomcat (or Apache, or any other TCP based server) sends responses back on >the same port that it received your request on (in fact, on the exact same >connection). Is your application itself generating outbound TCP >connections (for example, to connect to a database)? Or is the arbitrary >port possibly the one created by your *browser* running on the same >machine and connecting to Tomcat? > >Craig McClanahan Not true in some cases. HTTP sends its response info on the same port, protos like ftp open another port. (Which is the reason for http being a stateless protocol, you need to open a second port to do things like random stream access.) But that his application is wanting to open another port has nothing to do with tomcat, or at least I doubt it. Is your app a CORBA or JNI app by chance Joe?
Re: Specify outbound port on tomcat
"Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > On Fri, 7 Sep 2001, Joe Pearse wrote: > >> Date: Fri, 07 Sep 2001 16:49:09 -0700 >> From: Joe Pearse <[EMAIL PROTECTED]> >> Reply-To: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Subject: Re: Specify outbound port on tomcat >> >> The application itself is generating the message being sent out. In the >> basic sense, a browser is not involved. For example, information is >> received on port 443, and processed by the application. From that, a >> java.net.URL object is created, and the message is fired off to the >> specified client URL. When firing off the message, the outbound port >> (1024-5000) is chosen, and I'm not sure what chooses the port, and if I can >> restrict it. > > OK, to make an outbound connection, you definitely need a port on the > local server. But what matters to a firewall is the port on the > *destination* of that connection, not the *origin*. What port number on > the client are you sending to? In order for things to work, *this* is the > port number your firewall has to allow through (assuming that the client > is on the other side of it, of course). Well... Not really... My firewall, for example, is configured to deny access to the outside world if the originating port is < 1024... A connected socket is always represented as a 96 bits value (header in the TCP packet), and that include Source IP (32b) - Source Port (16b) - Target IP (32b) - Target port (16b) Most firewalls are actually configurable to filter out also outbound connections. This is because under UNIX, root initiated connections use port < 1024, and you don't want to allow a root process on the machine to be able to forward data to the outside world... > Which, of course, raises the question of why do this anyway, when you can > simply return data in the HTTP response to the request you are processing, > but that's a different question. When working with my previous employer, we were doing EbXML over HTTP, using Tomcat, and what usually happened was that at request time the only response sent back to the client was "I received your request, and it's sintattically correct". Then the request was appended to the job queue and processed. Responses were sent maybe HOURS later the request arrived, depending on how long the process took to finish. For example, a customer might ask me thru HTTP a quote for a product. And in that case, I want a real person to do some calculation, and decide what kind of discount I can give to that customer. Once this has been processed, and "manually" entered in my BPMS job queue, then my server calls back the client and tells something like "For the request you posted, and I acknowledged to, my response is...". Happens all the time in business processes... (Gee, and I thought that _THAT_ job was useless!). All I can suggest to Joe is to, instead of creating sockets using java.net.URL, is to create sockets manually using java.net.Socket. There's a constructor there which might help: public Socket(InetAddress addr, int port, InetAddress locAddr, int locPort); Then just set up your firewall to allow outgoing connections from locAddr:locPort, and you should be more-or-less set. Just be careful because only one of these sockets can be created at one time, as they share the same local port (if I'm not wrong!). So, you'll need a transactional queue (can be easily written) of outgoing connections, one at a time, slowly, despooling your responses... Pier
Re: Specify outbound port on tomcat
That's just it, though. Take the firewall out of the equation, and the application works fine. I understand that the destination port is what matters, and it does; you're right about that. Let me describe a scenario, to see if this helps explain the problem. I'm running tomcat + application at location A, you're running the same application + tomcat at location B. Scenario 1) You, site B, have no firewall restrictions. I, site A, send you, site B a message to port 443. Application does its thing, and sends a confirmation message, on _your_ local port, between 1024-5000. The destination is port 443 of site A. I receive the confirmation, and everyone is happy. Scenario 2) Now, your new security guru puts the clamps down on all outbound ports at site B. Taking the same scenario as 1), all works fine UNTIL you, site B, tries to send the response. Because all outbound ports have been blocked, the message does not get back to site A. Having said all that (sorry so long), at site B, you convince your security guy to open ports 2000-2005 (for example). What can I alter to guarantee that messages will be sent out on these ports? Thanks again for your help. >From: "Craig R. McClanahan" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: <[EMAIL PROTECTED]> >Subject: Re: Specify outbound port on tomcat >Date: Fri, 7 Sep 2001 16:56:50 -0700 (PDT) > > > >On Fri, 7 Sep 2001, Joe Pearse wrote: > > > Date: Fri, 07 Sep 2001 16:49:09 -0700 > > From: Joe Pearse <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Re: Specify outbound port on tomcat > > > > The application itself is generating the message being sent out. In the > > basic sense, a browser is not involved. For example, information is > > received on port 443, and processed by the application. From that, a > > java.net.URL object is created, and the message is fired off to the > > specified client URL. When firing off the message, the outbound port > > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I >can > > restrict it. > >OK, to make an outbound connection, you definitely need a port on the >local server. But what matters to a firewall is the port on the >*destination* of that connection, not the *origin*. What port number on >the client are you sending to? In order for things to work, *this* is the >port number your firewall has to allow through (assuming that the client >is on the other side of it, of course). > >Which, of course, raises the question of why do this anyway, when you can >simply return data in the HTTP response to the request you are processing, >but that's a different question. > >Craig > _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Re: Specify outbound port on tomcat
On Fri, 7 Sep 2001, Joe Pearse wrote: > Date: Fri, 07 Sep 2001 16:49:09 -0700 > From: Joe Pearse <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Re: Specify outbound port on tomcat > > The application itself is generating the message being sent out. In the > basic sense, a browser is not involved. For example, information is > received on port 443, and processed by the application. From that, a > java.net.URL object is created, and the message is fired off to the > specified client URL. When firing off the message, the outbound port > (1024-5000) is chosen, and I'm not sure what chooses the port, and if I can > restrict it. OK, to make an outbound connection, you definitely need a port on the local server. But what matters to a firewall is the port on the *destination* of that connection, not the *origin*. What port number on the client are you sending to? In order for things to work, *this* is the port number your firewall has to allow through (assuming that the client is on the other side of it, of course). Which, of course, raises the question of why do this anyway, when you can simply return data in the HTTP response to the request you are processing, but that's a different question. Craig
Re: Specify outbound port on tomcat
The application itself is generating the message being sent out. In the basic sense, a browser is not involved. For example, information is received on port 443, and processed by the application. From that, a java.net.URL object is created, and the message is fired off to the specified client URL. When firing off the message, the outbound port (1024-5000) is chosen, and I'm not sure what chooses the port, and if I can restrict it. >From: "Craig R. McClanahan" <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: <[EMAIL PROTECTED]> >Subject: Re: Specify outbound port on tomcat >Date: Fri, 7 Sep 2001 16:05:40 -0700 (PDT) > > > >On Fri, 7 Sep 2001, Joe Pearse wrote: > > > Date: Fri, 07 Sep 2001 15:53:33 -0700 > > From: Joe Pearse <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Specify outbound port on tomcat > > > > Hi List- > > I'd like to specify what outbound ports are chosen when running my > > application. Currently, I can specify the inbound port for SSL (443) to > > receive a message. When my application responds, it >(seemingly)arbitrarily > > picks a port between 1024 and (about) 5000 to send out the reply. > > My client refuses to open up their firewall between 1024 and 5000, >even > > though it is for the outbound traffic only, I must specify (restrict) >the > > ports used for outbound traffic. Is anyone aware if this is something >that > > I could configure in Tomcat (or Apache), and if so, what is it? (If >that is > > not possible to configure, please let me know also.) Thanks for the >help. > > > >Tomcat (or Apache, or any other TCP based server) sends responses back on >the same port that it received your request on (in fact, on the exact same >connection). Is your application itself generating outbound TCP >connections (for example, to connect to a database)? Or is the arbitrary >port possibly the one created by your *browser* running on the same >machine and connecting to Tomcat? > >Craig McClanahan > _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Re: Specify outbound port on tomcat
On Fri, 7 Sep 2001, Joe Pearse wrote: > Date: Fri, 07 Sep 2001 15:53:33 -0700 > From: Joe Pearse <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: Specify outbound port on tomcat > > Hi List- > I'd like to specify what outbound ports are chosen when running my > application. Currently, I can specify the inbound port for SSL (443) to > receive a message. When my application responds, it (seemingly)arbitrarily > picks a port between 1024 and (about) 5000 to send out the reply. > My client refuses to open up their firewall between 1024 and 5000, even > though it is for the outbound traffic only, I must specify (restrict) the > ports used for outbound traffic. Is anyone aware if this is something that > I could configure in Tomcat (or Apache), and if so, what is it? (If that is > not possible to configure, please let me know also.) Thanks for the help. > Tomcat (or Apache, or any other TCP based server) sends responses back on the same port that it received your request on (in fact, on the exact same connection). Is your application itself generating outbound TCP connections (for example, to connect to a database)? Or is the arbitrary port possibly the one created by your *browser* running on the same machine and connecting to Tomcat? Craig McClanahan
Specify outbound port on tomcat
Hi List- I'd like to specify what outbound ports are chosen when running my application. Currently, I can specify the inbound port for SSL (443) to receive a message. When my application responds, it (seemingly)arbitrarily picks a port between 1024 and (about) 5000 to send out the reply. My client refuses to open up their firewall between 1024 and 5000, even though it is for the outbound traffic only, I must specify (restrict) the ports used for outbound traffic. Is anyone aware if this is something that I could configure in Tomcat (or Apache), and if so, what is it? (If that is not possible to configure, please let me know also.) Thanks for the help. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp