On 24 May 2010 01:31, Bruce Snyder <bruce.sny...@gmail.com> wrote:
> Based on the iptables rules above, it looks like the second rule
> overrides the first rule, correct? I think the second rule accepts
> request on the port only from local clients. If this is correct, I see
> nothing wrong with it. And the call to activemq-admin stop is indeed a
> safe way to shut down ActiveMQ.
>
>
> Hi Bruce,
Thanks for taking the time to respond.
That's correct regarding the firewall rules; because they're both added at
line 1 (... -I INPUT 1 ...), the second one added ends up ahead of the first
one added in the chain. That said, I can see now that it would have been
clearer and better to add them in the same order that they'll appear in the
chain so I've changed it as follows:
PORT=61616
...
iptables -I INPUT 1 -s 127.0.0.0/8 -p tcp --dport $PORT -j ACCEPT
iptables -I INPUT 2 -p tcp --dport $PORT -j DROP
rulesAdded=1
This also eliminates, I guess, a possibility that the something might try to
connect to port 61616 from the localhost at that very microsecond after the
first rule was added, but before the second one was.
I'm very glad you think the method is sound and I'll happily send the
scripts through to anyone wants them if they prove to be useful after our
application goes into the testing phase.
Best, Alex
