 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Tomcat - JSP/Servlet container | | Struts - A MVC web framework | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | JSP - A mailing list about Java Server Pages specification and reference | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | |
Struts & Hibernate
|
|
|
| | | tomcat iptables problem | tomcat iptables problem 2007-10-03 - By Dieter Schicker
Back
Sorry, of course the "accept bla bla" goes into a separate line!
Dieter Schicker wrote:
> Thanks a lot for all your valuable answers! Unfortunately none of them
> helped me.
> Let me give you an example of this strange behavior (tomcat starting
> very slowly [>3min.]).
>
> iptables Ruleset:
>
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
> Chain INPUT (policy DROP)
> target prot opt source destination
> accept bla bla
> accept bla bla
>
> Chain FORWARD (policy DROP)
> target prot opt source destination accept bla
> bla
> accept bla bla
>
> Chain OUTPUT (policy DROP)
> target prot opt source destination accept bla bla
> accept bla bla
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
>
> => Tomcat starts slowly.
>
> Then I do the following:
>
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
>
> So I get:
>
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
>
> => Tomcat still (!!!) starts slowly! (Why???)
>
> Only when I restart the whole Debian machine and do not start the
> firewall tomcat starts fast.
>
> The system is Debian 4.0 with a 2.6.18-4-xen-amd64 kernel and
> apache-tomcat-5 (See http://cat-5.ora-code.com).5.23 (same behavior with apache-tomcat-6 (See http://cat-6.ora-code.com).0.14).
>
> Any suggestions?
>
> Many thanks in advance
> Dieter
>
>
>
>
>
> Christopher Schultz wrote:
>> -- --BEGIN PGP SIGNED MESSAGE-- --
>> Hash: SHA1
>>
>> Dieter,
>>
>> Dieter Schicker wrote:
>>
>>> Now I set up an iptables firewall (with fwbuilder) with the following
>>> open ports:
>>> 8080 (http), 8005 (shutdown?), 8009 (ajp connector) and all lo traffic
>>> is allowed.
>>>
>>
>> What about outgoing allowed ports?
>>
>>
>>> With this configuration I have the following behavior: Tomcat needs 3
>>> minutes to shut down and another 3 minutes to start up again. If it
>>> runs
>>> it runs perfectly ...
>>>
>>
>> I'm not sure about shutdown, but if your server (or application) is
>> configured to use, say, an XML document with a SYSTEM ID that points to
>> an outside URL (for instance: http://java.sun.com/dtd/web-app_2_3.dtd),
>> the XML parser might be attempting to access that URL. If your firewall
>> is preventing outgoing HTTP connections (good old port 80), it might
>> waste a lot of time re-trying before it finally gives up and reads
>> non-validated XML).
>>
>> I would change your iptables configuration to set all outgoing rejected
>> requests to LOG as well as reject, and then you can watch the iptables
>> log (usually the "kernel" log on Debian IIRC) for requests to foreign
>> hosts on port 80.
>>
>> Hope that helps,
>> - -chris
>> -- --BEGIN PGP SIGNATURE-- --
>> Version: GnuPG v1.4.7 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFHAsQE9CaO5/Lv0PARAkrSAKCa6D0xMiG6zo4SdP5r3FVbEN30+ACgonNN
>> UuRz6pB8z+UUciozFLGv3eY=
>> =N69G
>> -- --END PGP SIGNATURE-- --
>>
>> -- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
>> To start a new topic, e-mail: users@(protected)
>> To unsubscribe, e-mail: users-unsubscribe@(protected)
>> For additional commands, e-mail: users-help@(protected)
>>
>>
>
>
> Dieter Schicker
> INIG - Department of Information Processing in the Humanities
> Karl Franzens University of Graz
> Merangasse 70
> A-8020 Graz
> Tel.: +43 316 380 8012
> http://www-gewi.uni-graz.at/inig/
Dieter Schicker
INIG - Department of Information Processing in the Humanities
Karl Franzens University of Graz
Merangasse 70
A-8020 Graz
Tel.: +43 316 380 8012
http://www-gewi.uni-graz.at/inig/
--
Student of Computer Science
Graz University of Technology
schicker@(protected)
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
|