For web applications and services, usually you only use the AJP port when you also install a web server (e.g. Apache). If you don't install a webserver, you must allow the access to the HTTP and HTTPS ports.

If you are securing your web applications, disabling other ports in the JBoss is not absolutely necessary. You can use your firewall (e.g. Iptables in Linux) to restrict the access to the other ports.

Typical configuration

Typical JBoss configuration uses a web server or load balancer (e.g. Apache Web Server) receiving the web requests. The JBoss can be installed behind your web server and you can restrict the external access to all the ports excepting standard HTTP (80) and HTTPS (443) ports.

Using this configuration,

• web browsers will connect to the webserver (e.g. apache) using HTTP or HTTPS port
• apache connects to JBoss to execute the application using the AJP port

In this case, you can restrict the access to all the JBoss ports.

• If you are using one machine, you can use your firewall and enable only the access to the webserver, and execute the JBoss to only get connections from localhost (127.0.0.1)
• If you are using several machines, you can configure the firewall of the load balancer and enable only access using HTTP or HTTPS, and configure the firewall of the JBoss servers to only permit the access from the load balancer using the AJP port (8009)

Specifying ports and addresses for JBoss

As i remember, by default, JBoss will run using only connections from localhost (127.0.0.1) and a set of ports. You can specify which ip addresses and ports JBoss must use.

In the command line, if you only want local connections, you can bind the server to localhost only.

  run -b 127.0.0.1

If you want connections from all the machines, you can bind the server to all the available ip addresses

  run -b 0.0.0.0

If you want to use another set of ports, you can use

  run -Djboss.service.binding.set=ports-01

additional information in http://community.jboss.org/wiki/ConfigurePorts

Configuring the web server

You can use the mod_proxy module for Apache to redirect some URLs to web applications in your JBoss

For example, to expose an application called demo you can include in your httpd.conf

  ProxyPass /demo  ajp://localhost:8009/demo

Configuring the Linux firewall

You can configure your firewall to disable external connections to some ports. Usually, all the ports are protected and you must configure which ports are accesible by external clients and applications.

Also, if you don't wanna use a webserver, you can use the firewall to redirect connections to standard web ports (80) to the JBoss web ports. For example, using iptables you can redirect the web requests to the 8080 port

  # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport http -j REDIRECT --to-ports 8080

The firewall configuration depends on your linux distro

• http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-IPTables.html
• http://www.xenocafe.com/tutorials/linux/redhat/iptables/iptables_linux_redhat-part1.php
• http://wiki.centos.org/HowTos/Network/IPTables
• http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-fw.html

Disabling ports In JBoss

If you want to disable some ports, you must take care about which must be enabled or disabled. (The use of a firewall is a better idea)

  - web browsers/web services require HTTP (8080) or HTTPS (8443) ports

  - web servers or load balancers require AJP (8009) port

  - RMI clients require RMI ports

  - EJB clients (possibly) require RMI, Naming and EJB ports

  - EJB with complex transactions (e.g. two-phase-commit) require JBossTS

  - etc.

For the HTTP, HTTPS and AJP ports, you can modify a configuration file

• <jboss_home>/server/all/deploy/jbossweb.sar/META-INF/jboss-service.xml

You can disable some additional ports manually modifying these files

• <jboss_home>/server/all/conf/jboss-service.xml
• <jboss_home>/server/all/deploy/cluster-service.xml
• <jboss_home>/server/all/deploy/jbossmq-service.xml
• <jboss_home>/server/all/deploy/hsqldb-service.xml
• <jboss_home>/server/all/deploy/jmx-rmi-adaptor.sar/META-INF/jboss-service.xml

additional information in http://community.jboss.org/wiki/ConfigurePorts