Hi,
I'm trying to block external access to port 8009 (AJP13), as only my local host
really needs to be able to talk to it.
I'm wondering if there are any internal/mod_jk mechanisms for that, or if
iptables is the best option.
I have tried iptables, which did block external requests, but it also got me in
a situation where I had a few hundred httpd processes in a SYN_SENT state (
netstat | grep 8009 | grep -c SYN_SENT ) and returning 503s instead of 200s:
iptables -A INPUT \
-p TCP --dport 8009 \
-m state --state NEW \
-j DROP
iptables -A INPUT \
-p UDP --dport 8009 \
-m state --state NEW \
-j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
If anyone has iptables rules that work, I'd appreciate it if you could share
them.
I'd also be curious to know whether people use some other mechanisms to prevent
evil folks from connecting to your port 8009 from the outsite and consuming
your available connections.
Thanks,
Otis
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
