I have a firewall problem. Our developers produced an application which I need to use for monitoring. The application makes an outgoing connection to one of our servers on port 443. This server then makes a TCP connection back to the application on the monitoring server on a random high port. I''d like to put a firewall on the monitoring server but this is making it difficult. There are about 100 servers being monitored and we change their IP addresses often, I don''t want to create a blanket ''ALLOW'' rule for each of them. Does anyone have any suggestions? Is it possible to allow incoming connections to a specific application? Thanks ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On Tue, Jul 09, 2013 at 09:36:07AM +0800, Steve Wray wrote:> I have a firewall problem. > Our developers produced an application which I need to use for monitoring. > The application makes an outgoing connection to one of our servers on port > 443. This server then makes a TCP connection back to the application on > the monitoring server on a random high port. > I''d like to put a firewall on the monitoring server but this is making it > difficult. There are about 100 servers being monitored and we change their > IP addresses often, I don''t want to create a blanket ''ALLOW'' rule for each > of them. > Does anyone have any suggestions? > Is it possible to allow incoming connections to a specific application?It sounds like a rather cumbersome application design. What about chosing a fixed port for the monitoring server to listen on? If that won''t work, I suggest looking at how active FTP firewall traversal is handled (i.e., an application gateway). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
As there are so many servers being monitored and the server check application has to run individually for each one it can''t just listen on one port; each instance of the server check application has to listen on its own port. It tells the monitored server which port to connect back to. I guess in this respect its similar to active FTP (which is a pain to firewall). On 9 July 2013 09:58, Roberto C. Sánchez <roberto@connexer.com> wrote:> On Tue, Jul 09, 2013 at 09:36:07AM +0800, Steve Wray wrote: > > I have a firewall problem. > > Our developers produced an application which I need to use for > monitoring. > > The application makes an outgoing connection to one of our servers on > port > > 443. This server then makes a TCP connection back to the application > on > > the monitoring server on a random high port. > > I''d like to put a firewall on the monitoring server but this is > making it > > difficult. There are about 100 servers being monitored and we change > their > > IP addresses often, I don''t want to create a blanket ''ALLOW'' rule for > each > > of them. > > Does anyone have any suggestions? > > Is it possible to allow incoming connections to a specific > application? > > It sounds like a rather cumbersome application design. What about > chosing a fixed port for the monitoring server to listen on? If that > won''t work, I suggest looking at how active FTP firewall traversal is > handled (i.e., an application gateway). > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > http://people.connexer.com/~roberto > http://www.connexer.com > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQIcBAEBCAAGBQJR224hAAoJECzXeF7dp7IPb9MP/0HcJLU6mBq5Wzv4gtabihSA > DOJ6lD34Oa0prYuuEiqUQmDmZWfKArhj70hfBHQ6TCVZ6F1b4BkV6QxCok7tF8fy > Pw1sb5XzTO2Q1WSfxyJ4Cl2hjiQN10+BIdQt3nSS/cPGNpHakbsWfJZUA23SLBi4 > baa4+4AmDyAbD/Tgih2MFWjbg04CuZhoUd6bXrJ/i1Ih+PIOrEL39sUtR4wwGRjv > ONNEU0abHfYyAeUIEWDgO7ItEVpEpTVhH/fsyhhKvTyQU7Wk/8R/aNyq9sJZhInh > t9VqyewfrCwW2VpJ+nhf7OSeFMY7ssse2gwimutLTzuSa33RNzSTacbBbCHBpmsv > S4+fxfA0gS3TFejnnshpKRVXg51Tlqg0zqAV65Oh4A0I0liFVy39/I+gpsfOBSET > fXpu7lDK4fjDkgelTuNOJyc5bLLUgAtfbQwibDpd/bw3yfBGdYfUVa8UFW1dZ26K > eQ9+z0FgDa/NgzrFO2CiVo9mMSwNJADjCA2vJBaHpqUWKJpnBib4wXhyJVebZWeO > U0TbgnbB4on6Pykuu3yVMZl9RN4Z7KDdRbw1CEW3BhPabnYVfxS9/1XAwMeyTnc7 > AxG+YSa/TrKR7UpFFocVmz9lzCVYAXoGC/eghz3y2ZxGSJ5oJdlUEtxCfPUEy3KN > wQy0oQIXY/JRm9GWg+s+ > =hUpa > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
If you look at how the Apache multi-processing models are implemented (i.e., multi-process and multi-threaded) you will find that there is a process/thread that listens on port 80 (or whatever port you configure for your server). When a connection arrives, it hands that connection off to another process or thread on a different to port to handle the client requests. That master process/thread then immediately goes back to listening on its port. You could utilize the same approach with your monitoring application. You could have a master process or thread that handles spawning handler process or threads for each inbound request. In an instance like that, normal connection tracking mechanisms will then handle the rest. Regards, -Roberto On Tue, Jul 09, 2013 at 11:02:21AM +0800, Steve Wray wrote:> As there are so many servers being monitored and the server check > application has to run individually for each one it can''t just listen on > one port; each instance of the server check application has to listen on > its own port. It tells the monitored server which port to connect back to. > I guess in this respect its similar to active FTP (which is a pain to > firewall). > > On 9 July 2013 09:58, Roberto C. S�nchez <[1]roberto@connexer.com> wrote: > > On Tue, Jul 09, 2013 at 09:36:07AM +0800, Steve Wray wrote: > > � �I have a firewall problem. > > � �Our developers produced an application which I need to use for > monitoring. > > � �The application makes an outgoing connection to one of our servers > on port > > � �443. This server then makes a TCP connection back to the > application on > > � �the monitoring server on a random high port. > > � �I''d like to put a firewall on the monitoring server but this is > making it > > � �difficult. There are about 100 servers being monitored and we > change their > > � �IP addresses often, I don''t want to create a blanket ''ALLOW'' rule > for each > > � �of them. > > � �Does anyone have any suggestions? > > � �Is it possible to allow incoming connections to a specific > application? > > It sounds like a rather cumbersome application design. �What about > chosing a fixed port for the monitoring server to listen on? �If that > won''t work, I suggest looking at how active FTP firewall traversal is > handled (i.e., an application gateway). > > Regards, > > -Roberto > -- > Roberto C. S�nchez > [2]http://people.connexer.com/~roberto > [3]http://www.connexer.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQIcBAEBCAAGBQJR224hAAoJECzXeF7dp7IPb9MP/0HcJLU6mBq5Wzv4gtabihSA > DOJ6lD34Oa0prYuuEiqUQmDmZWfKArhj70hfBHQ6TCVZ6F1b4BkV6QxCok7tF8fy > Pw1sb5XzTO2Q1WSfxyJ4Cl2hjiQN10+BIdQt3nSS/cPGNpHakbsWfJZUA23SLBi4 > baa4+4AmDyAbD/Tgih2MFWjbg04CuZhoUd6bXrJ/i1Ih+PIOrEL39sUtR4wwGRjv > ONNEU0abHfYyAeUIEWDgO7ItEVpEpTVhH/fsyhhKvTyQU7Wk/8R/aNyq9sJZhInh > t9VqyewfrCwW2VpJ+nhf7OSeFMY7ssse2gwimutLTzuSa33RNzSTacbBbCHBpmsv > S4+fxfA0gS3TFejnnshpKRVXg51Tlqg0zqAV65Oh4A0I0liFVy39/I+gpsfOBSET > fXpu7lDK4fjDkgelTuNOJyc5bLLUgAtfbQwibDpd/bw3yfBGdYfUVa8UFW1dZ26K > eQ9+z0FgDa/NgzrFO2CiVo9mMSwNJADjCA2vJBaHpqUWKJpnBib4wXhyJVebZWeO > U0TbgnbB4on6Pykuu3yVMZl9RN4Z7KDdRbw1CEW3BhPabnYVfxS9/1XAwMeyTnc7 > AxG+YSa/TrKR7UpFFocVmz9lzCVYAXoGC/eghz3y2ZxGSJ5oJdlUEtxCfPUEy3KN > wQy0oQIXY/JRm9GWg+s+ > =hUpa > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > [4]http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > [5]Shorewall-users@lists.sourceforge.net > [6]https://lists.sourceforge.net/lists/listinfo/shorewall-users > > References > > Visible links > 1. mailto:roberto@connexer.com > 2. http://people.connexer.com/~roberto > 3. http://www.connexer.com/ > 4. http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > 5. mailto:Shorewall-users@lists.sourceforge.net > 6. https://lists.sourceforge.net/lists/listinfo/shorewall-users> ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk