Hi,

I'm trying to block external access to port 8009 (AJP13), as only my local host 
really needs to be able to talk to it.
I'm wondering if there are any internal/mod_jk mechanisms for that, or if 
iptables is the best option.

I have tried iptables, which did block external requests, but it also got me in 
a situation where I had a few hundred httpd processes in a SYN_SENT state ( 
netstat | grep 8009 | grep -c SYN_SENT ) and returning 503s instead of 200s:

iptables -A INPUT \
     -p TCP --dport 8009 \
     -m state --state NEW \
     -j DROP
iptables -A INPUT \
     -p UDP --dport 8009 \
     -m state --state NEW \
     -j DROP

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT  -i lo -j ACCEPT


If anyone has iptables rules that work, I'd appreciate it if you could share 
them.

I'd also be curious to know whether people use some other mechanisms to prevent 
evil folks from connecting to your port 8009 from the outsite and consuming 
your available connections.

Thanks,
Otis


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to