Allowing Sockets through the Yast FireWall

Posted on

Allowing Sockets through the Yast FireWall – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about firewall, java, linux, socket, .

Short version: How do I allow the Yast Firewall on a Linux server to allow sockets to connect with a randomly (by os) selected port?

Longer version: A part of my larger java program has a client connecting to server using sockets. The initial connection is done at a specific port with a ConnectionManager, that gives the client a port and password to connect to. The way I originally pick the port was through a list of ports (all above 49152) that I allowed in the firewall. I noticed that this new connection would randomly work, or refuse to connect. I concluded that the ports where being closed or used by something else (tried to turn the firewall off, didn’t help).

Then it was suggested that I let the os pick the port by not specifying the port number (using 0 as per this constructor: JavaDoc). This picked a free port, that works perfectly when the firewall is down. However, the firewall blocks the connection, and the client times out.

Is there anyway to set up the Yast firewall to allow the sockets, without overexposing the server? Or can/should I specify a range of port numbers for java to pick an open one, and allow those ports?

NOTE: I originally asked this on stackoverflow and was suggested to post here. It exactly the same there: StackQuestion.

Solution :

TCP connections are able to be uniquely identified by the combination of source IP, source port, destination IP, and destination port. A good example is a web server – everyone’s connecting to it on port 80, but it’s able to maintain all of those connections to the same port concurrently because the source IP and port are different for each one.

What I’m getting at here is that you’re kinda re-inventing the wheel by opening up a distinct listening port for each connecting client. The best example of a protocol that behaves in the same way is passive mode FTP. Some firewalls play nice with it only because of deep packet inspection – there’s code in place in the protocol inspection due to the need to open the high port, but it’s specific, one-off workarounds for something that’s considered a “legacy” way of doing things.

I’d recommend using a single port for all incoming client traffic, which is a much more firewall-friendly way of allowing client connections – both on your end and the client’s, where firewall policies on their side may often have high destination ports blocked. If that’s not a concern and you do specify a range of ports and just let all of them through the firewall, just be sure that nothing else is listening on them.

On the YaST side – you do not need to do that, you can use directly iptables to allow/deny ports.
A better approach would be to open the right port in Java – either by iterating trough a range and try each one until success (the bind will throw exception, if someone else is using the port), and then open the range in the firewall.

Another approach would be (it’s programmer question, better for SO 🙂 ) to use a socket pool, which your application will use. There is a good example at Koders.

Leave a Reply

Your email address will not be published.