11 Replies Latest reply on Jan 27, 2005 8:20 AM by henkie

    RMI ports and firewall

    firebirth

      Hello there,

      we'd like to firewall the app server from the web server and experienced some problems defining the firewall rules. As far as I know, JBoss 3.2.3 uses some static ports, such as 1099 (JNDI) but also dynamic ports like for the RMI Object ports.

      I still couldn't figure out how to set the range of dynamic RMI ports used by JBoss or to restrict RMI communication to a single port. Is it possible to change those ports in a config file? I couldn't find anything...

      Or to put my question another way: is there a way to set up a firewall between the app server and the web server?

      Any help would be appreciated!

      Daniel

        • 1. Re: RMI ports and firewall
          adrian.brock

          It's on the WIKI.
          Click Wikis on the left hand menu bar then click "Secure JBoss"

          • 2. Re: RMI ports and firewall
            firebirth

            Thanks, Adrian. But I don't really feel satisfied yet.

            I would like to be more precise: We have a stand-alone app server (JBoss 3.2.3) and a stand-alone servlet engine (Tomcat 5.0.19). These two components should be separated by a firewall.

            From what I found on the Wiki (the one you suggested) there is no way to configure the dynamic ports JBoss uses to communicate with the servlet engine and vice versa. Is this true?

            Kind regards,

            Daniel

            • 3. Re: RMI ports and firewall
              starksm64
              • 4. Re: RMI ports and firewall
                vombi

                there was a "jnp.properties" file in JBoss 2.2.2 where you could configure the listening port for jnp.
                With a content like

                jnp.port=1099
                jnp.rmiPort=1100

                the "random" ports above 30000 would stick to 1100. It worked for 2.4 and as far as I see the code is still in 3.2. Maybe there is another way to configure it in the newer versions. I hope there is no performance reduction with this, anyone knows?

                • 5. Re: RMI ports and firewall
                  starksm64

                  jnp.properties is no longer used. See the referenced wiki page.

                  • 6. Re: RMI ports and firewall
                    vombi

                    I don't see the answer on the wiki page - maybe the question was not clear enough:
                    The ejb client is on the "servlet/web server" machine and makes a ejb lookup and connection to a separate machine running JBoss. This causes the "high random" listening ports to appear at run/invokation time. In fact the jnp.properties fix does not seem to work with JBoss 3, any further ideas ...?

                    • 7. Re: RMI ports and firewall
                      firebirth

                      Hello again,

                      I finally figured out what it takes to restrict rmi communication between jboss app server and servlet engine to one specific port, in this case to 4444. I had to uncomment the following line in the jboss-service.xml file, section "rmi/jrmp invoker":

                      <attribute name="RMIObjectPort">4444</attribute>


                      I must admit, I overlooked the fact that it was commented out. Shame on me... only typos are worse!

                      Thanks anyway, have a nice day,

                      Dan


                      • 8. Re: RMI ports and firewall
                        sebastiang

                        Hi,

                        I have exactly the same problem when trying to connect to jboss through a firewall. I configured my jboss 3.2.6 server as mentioned on the Wiki.
                        Here is my client code:

                        Hashtable env = new Hashtable();
                        env.put(Context.PROVIDER_URL, "myServer:1099");
                        env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
                        env.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces");
                        Context ctx = new InitialContext(env);
                        Object obj = ctx.lookup("myObject");

                        Getting the InitialContext works fine but during the lookup it always tries to connect to a high random port.
                        I hope someone can help me.

                        Sebastian

                        • 9. Re: RMI ports and firewall
                          sebastiang

                          Hi,
                          it's me again.

                          I am still stuck in that problem.

                          I also searched several other forums for that issue and whever I found it I couldn't get a satisfying answer. I even read somewhere that it is a general Java RMI issue that one cannot get around. Is that true?

                          It would be really helpful if I could get a clear statement.

                          Bye,
                          Sebastian

                          • 10. Re: RMI ports and firewall
                            schrouf

                            We have a working RMI firewall configuration with the following enabled
                            ports

                            TCP:1099 (JNDI Naming)
                            TCP:1100 (Cluster JNDI Naming)


                            TCP:1098 (RMI-Port)
                            TCP:4444 (RMI-Object-Port)

                            Regards
                            Ulf

                            • 11. Re: RMI ports and firewall
                              henkie

                              3 short steps to make jboss accessible from outside firewall,
                              presuming on windows ( for step 3 ):

                              1. Make sure you have a name resolving to the external IP address of the FW eg.: externalip.example.org

                              2. Startup the JBoss server with an extra parameter: -b externalip.example.org

                              3. Supposing your internal IP address is eg. 192.168.1.1, in your windows
                              hosts file ( c:\windows\drivers\etc\hosts ) add:
                              192.168.1.1 externalip.example.org

                              regards,

                              henkie.