11.10.4. Configure Network Firewalls to Work with JBoss EAP 6
Most production environments use firewalls as part of an overall network security strategy. If you need multiple server instances to communicate with each other or with external services such as web servers or databases, your firewall must take this into account. A well-managed firewall only opens the ports which are necessary for operation, and limits access to the ports to specific IP addresses, subnets, and network protocols.
- Determine the ports you need to open.
- An understanding of your firewall software is required. This procedure uses the
system-config-firewallcommand in Red Hat Enterprise Linux 6. Microsoft Windows Server includes a built-in firewall, and several third-party firewall solutions are available for each platform. On Microsoft Windows Server, you can use PowerShell to configure the firewall.
This procedure configures a firewall in an environment with the following assumptions:
- The operating system is Red Hat Enterprise Linux 6.
- JBoss EAP 6 runs on host
10.1.1.2. Optionally, the server has its own firewall.
- The network firewall server runs on host
eth0, and has an external interface
- You want traffic on port
5445(a port used by JMS) forwarded to JBoss EAP 6. No other traffic should be allowed through the network firewall.
Procedure 11.33. Manage Network Firewalls and JBoss EAP 6 to work together
Log into the Management Console.Log into the Management Console. By default, it runs on http://localhost:9990/console/.
Determine the socket bindings used by the socket binding group.
- Click the Configuration label at the top of the Management Console.
- Expand the General Configuration menu. Select the Socket Binding.
- The Socket Binding Declarations screen appears. Initially, the
standard-socketsgroup is shown. Choose a different group by selecting it from the combo box on the right-hand side.
NoteIf you use a standalone server, it has only one socket binding group.The list of socket names and ports is shown, eight values per page. You can go through the pages by using the arrow navigation below the table.
Determine the ports you need to open.Depending on the function of the particular port and the requirements of your environment, some ports may need to be opened on your firewall.
Configure your firewall to forward traffic to JBoss EAP 6.Perform these steps to configure your network firewall to allow traffic on the desired port.
- Log into your firewall machine and access a command prompt, as the root user.
- Issue the command
system-config-firewallto launch the firewall configuration utility. A GUI or command-line utility launches, depending on the way you are logged into the firewall system. This task makes the assumption that you are logged in via SSH and using the command-line interface.
- Use the TAB key on your keyboard to navigate to the Customize button, and press the ENTER key. The Trusted Services screen appears.
- Do not change any values, but use the TAB key to navigate to the Forward button, and press ENTER to advanced to the next screen. The Other Ports screen appears.
- Use the TAB key to navigate to the <Add> button, and press ENTER. The Port and Protocol screen appears.
5445in the Port / Port Range field, then use the TAB key to move to the Protocol field, and enter
tcp. Use the TAB key to navigate to the OK button, and press ENTER.
- Use the TAB key to navigate to the Forward button until you reach the Port Forwarding screen.
- Use the TAB key to navigate to the <Add> button, and press the ENTER key.
- Fill in the following values to set up port forwarding for port
Use the TAB key to navigate to the OK button, and press ENTER.
- Source interface:
- Port / Port Range:
- Destination IP address:
- Port / Port Range:
- Use the TAB key to navigate to the Close button, and press ENTER.
- Use the TAB key to navigate to the OK button, and press ENTER. To apply the changes, read the warning and click Yes.
Configure a firewall on your JBoss EAP 6 host.Some organizations choose to configure a firewall on the JBoss EAP 6 server itself, and close all ports that are not necessary for its operation. See Section 11.10.3, “Network Ports Used By JBoss EAP 6” and determine which ports to open, then close the rest. The default configuration of Red Hat Enterprise Linux 6 closes all ports except
22(used for Secure Shell (SSH) and
5353(used for multicast DNS). While you are configuring ports, ensure you have physical access to your server so that you do not inadvertently lock yourself out.
Your firewall is configured to forward traffic to your internal JBoss EAP 6 server in the way you specified in your firewall configuration. If you chose to enable a firewall on your server, all ports are closed except the ones needed to run your applications.
Procedure 11.34. Configuring Firewall on Microsoft Windows using PowerShell
- Switch off firewall for debug purpose to determine whether the current network behavior is related to the firewall configuration.
Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall set allprofiles state off"'
- Allow UDP connections on port 23364. For example:
Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall firewall add rule name="UDP Port 23364" dir=in action=allow protocol=UDP localport=23364"' Start-Process "$psHome\powershell.exe" -Verb Runas -ArgumentList '-command "NetSh Advfirewall firewall add rule name="UDP Port 23364" dir=out action=allow protocol=UDP localport=23364"'
Procedure 11.35. Configure the Firewall on Red Hat Enterprise Linux 7 to Allow mod_cluster Advertising
- To allow mod_cluster advertising on Red Hat Enterprise Linux 7, you must enable the UDP port in the firewall as follows:
firewall-cmd --permanent --zone=public --add-port=23364/udp
Note220.127.116.11:23364 is the default address and port for mod_cluster balancer advertising UDP multicast.