You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Sean K <sk...@gmail.com> on 2012/08/22 21:12:04 UTC
iptables and broker to broker transport
I have two centos machines up and running. When I disable or turn
off iptables, the one broker can establish a transport bridge with the
other broker on the other centos machine.
I noticed that the port number being used changes -- 53033, 53067, etc..
How can I configure each broker in the static network of brokers in a
way so that I can re-enable iptables?
I prefer to keep iptables running for security reasons -- not that it
is the best security out there
Re: iptables and broker to broker transport
Posted by Gary Tully <ga...@gmail.com>.
you can specify a well known local port in the network connector tcp
url using a slash notation
tcp://xx:61610/xx:51610
So in the duplex case, both port 61610 and local 51610 should be open
in the firewall.
On 23 August 2012 01:41, Sean K <sk...@gmail.com> wrote:
> So if I set broker centos-test3 as a unidirectional bridge- it cannot
> be a consumer, only a producer on a queue.
>
> how does real world deployments handle data going in both directions?
>
> I can think of two ways:
>
> 1.) put the broker in a less restricted DMZ zone in a company with
> less ports blocked.
> 2.) create two sets of brokers on each side -- one companyA has
> brokerA and broker B. Broker A is used by producer. Broker B is used
> by consumer. And companyB has broker C which is consumer used only
> from broker A, and has broker D which is used by producer only from
> Broker B.
>
> So, there is no way to have a duplex brokers on both sides of two
> companies with a set of ports known?
>
> SSL is already being planned to prevent spoof-ing. But I think a
> duplex broker on both sides would be nice.
>
> Does activemq 5.6 not handle that?
>
>
>
> On Wed, Aug 22, 2012 at 5:07 PM, ceposta <ch...@gmail.com> wrote:
>> The network connector in broker 2 has duplex set to "true"
>> This will open a connection in both directions, which explains the random
>> port on broker1.
>> Can you try having uni-directional network connectors on each broker?
>>
>>
>>
>> -----
>> http://www.christianposta.com/blog
>> --
>> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
--
http://fusesource.com
http://blog.garytully.com
Re: iptables and broker to broker transport
Posted by Sean K <sk...@gmail.com>.
So if I set broker centos-test3 as a unidirectional bridge- it cannot
be a consumer, only a producer on a queue.
how does real world deployments handle data going in both directions?
I can think of two ways:
1.) put the broker in a less restricted DMZ zone in a company with
less ports blocked.
2.) create two sets of brokers on each side -- one companyA has
brokerA and broker B. Broker A is used by producer. Broker B is used
by consumer. And companyB has broker C which is consumer used only
from broker A, and has broker D which is used by producer only from
Broker B.
So, there is no way to have a duplex brokers on both sides of two
companies with a set of ports known?
SSL is already being planned to prevent spoof-ing. But I think a
duplex broker on both sides would be nice.
Does activemq 5.6 not handle that?
On Wed, Aug 22, 2012 at 5:07 PM, ceposta <ch...@gmail.com> wrote:
> The network connector in broker 2 has duplex set to "true"
> This will open a connection in both directions, which explains the random
> port on broker1.
> Can you try having uni-directional network connectors on each broker?
>
>
>
> -----
> http://www.christianposta.com/blog
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: iptables and broker to broker transport
Posted by Sean K <sk...@gmail.com>.
If it is duplex, it is not configurable to use a certain port or specific range?
For my case, I am not 100% certain at this time whether unidirectional
will work the the business case.
On Wed, Aug 22, 2012 at 5:07 PM, ceposta <ch...@gmail.com> wrote:
> The network connector in broker 2 has duplex set to "true"
> This will open a connection in both directions, which explains the random
> port on broker1.
> Can you try having uni-directional network connectors on each broker?
>
>
>
> -----
> http://www.christianposta.com/blog
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: iptables and broker to broker transport
Posted by ceposta <ch...@gmail.com>.
The network connector in broker 2 has duplex set to "true"
This will open a connection in both directions, which explains the random
port on broker1.
Can you try having uni-directional network connectors on each broker?
-----
http://www.christianposta.com/blog
--
View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: iptables and broker to broker transport
Posted by Sean K <sk...@gmail.com>.
attached: activemq-centos-test1.xml for broker 1
attached: activemq-centos-test3.xml for broker 2.
On Wed, Aug 22, 2012 at 3:46 PM, ceposta <ch...@gmail.com> wrote:
> From your logs:
>
> sk92129 wrote
>>
>> 2012-08-22 12:58:21,363 | INFO | Listening for connections at:
>> ssl://centos-test1.foo.com:61616?needClientAuth=true |
>> org.apache.activemq.transport.TransportServerThreadSupport | main
>>
>
> You can see from your config:
>
>
> sk92129 wrote
>>
>> <transportConnectors>
>> <transportConnector name="openwire"
>> uri="ssl://0.0.0.0:61616?needClientAuth=true" >
>> </transportConnector>
>> </transportConnectors>
>>
>
> The transport connector has been opened on the appropriate port.
>
> I wonder if what you're seeing is the outgoing port on the local machine
> that's being used to connect to the networked broker.
>
> Wanna post your network connector configs?
>
>
>
> -----
> http://www.christianposta.com/blog
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655461.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: iptables and broker to broker transport
Posted by ceposta <ch...@gmail.com>.
>From your logs:
sk92129 wrote
>
> 2012-08-22 12:58:21,363 | INFO | Listening for connections at:
> ssl://centos-test1.foo.com:61616?needClientAuth=true |
> org.apache.activemq.transport.TransportServerThreadSupport | main
>
You can see from your config:
sk92129 wrote
>
> <transportConnectors>
> <transportConnector name="openwire"
> uri="ssl://0.0.0.0:61616?needClientAuth=true" >
> </transportConnector>
> </transportConnectors>
>
The transport connector has been opened on the appropriate port.
I wonder if what you're seeing is the outgoing port on the local machine
that's being used to connect to the networked broker.
Wanna post your network connector configs?
-----
http://www.christianposta.com/blog
--
View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655461.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: iptables and broker to broker transport
Posted by Sean K <sk...@gmail.com>.
Maybe this activemq.log might shed more light on this:
2012-08-22 12:58:20,497 | INFO | ActiveMQ 5.6.0 JMS Message Broker
(static-broker-centos-test1) is starting |
org.apache.activemq.broker.BrokerService | main
2012-08-22 12:58:20,497 | INFO | For help or more information please
see: http://activemq.apache.org/ |
org.apache.activemq.broker.BrokerService | main
2012-08-22 12:58:21,363 | INFO | Listening for connections at:
ssl://centos-test1.foo.com:61616?needClientAuth=true |
org.apache.activemq.transport.TransportServerThreadSupport | main
2012-08-22 12:58:21,364 | INFO | Connector openwire Started |
org.apache.activemq.broker.TransportConnector | main
2012-08-22 12:58:21,366 | INFO | ActiveMQ JMS Message Broker
(static-broker-centos-test1,
ID:centos-test1.foo.com-35354-1345665500514-0:1) started |
org.apache.activemq.broker.BrokerService | main
2012-08-22 12:58:21,520 | INFO | jetty-7.6.1.v20120215 |
org.eclipse.jetty.server.Server | main
2012-08-22 12:58:22,183 | INFO | ActiveMQ WebConsole initialized. |
org.apache.activemq.web.WebConsoleStarter | main
2012-08-22 12:58:22,183 | INFO | started
o.e.j.w.WebAppContext{/admin,file:/usr/local/activemq/apache-activemq-5.6.0/webapps/admin/}
| org.eclipse.jetty.server.handler.ContextHandler | main
2012-08-22 12:58:22,401 | INFO | Initializing Spring FrameworkServlet
'dispatcher' | /admin | main
2012-08-22 12:58:23,458 | INFO | ActiveMQ Console at
http://0.0.0.0:8161/admin | org.eclipse.jetty.webapp.WebAppContext |
main
2012-08-22 12:58:23,593 | INFO | started
o.e.j.w.WebAppContext{/demo,file:/usr/local/activemq/apache-activemq-5.6.0/webapps/demo/}
| org.eclipse.jetty.server.handler.ContextHandler | main
2012-08-22 12:58:23,630 | INFO | ActiveMQ Web Demos at
http://0.0.0.0:8161/demo | org.eclipse.jetty.webapp.WebAppContext |
main
2012-08-22 12:58:23,698 | INFO | started
o.e.j.w.WebAppContext{/fileserver,file:/usr/local/activemq/apache-activemq-5.6.0/webapps/fileserver/}
| org.eclipse.jetty.server.handler.ContextHandler | main
2012-08-22 12:58:23,735 | INFO | RESTful file access application at
http://0.0.0.0:8161/fileserver |
org.eclipse.jetty.webapp.WebAppContext | main
2012-08-22 12:58:23,822 | INFO | Started
SelectChannelConnector@0.0.0.0:8161 |
org.eclipse.jetty.server.AbstractConnector | main
2012-08-22 13:01:23,657 | INFO | Connector
vm://static-broker-centos-test1 Started |
org.apache.activemq.broker.TransportConnector | ActiveMQ Transport:
ssl:///192.168.10.103:41763
2012-08-22 13:01:23,711 | INFO | Started responder end of duplex
bridge NC@ID:centos-test3.foo.com-40357-1345665680599-0:1 |
org.apache.activemq.broker.TransportConnection | ActiveMQ Transport:
ssl:///192.168.10.103:41763
2012-08-22 13:01:23,732 | INFO | Network connection between
vm://static-broker-centos-test1#0 and
ssl://centos-test3.foo.com/192.168.10.103:41763(static-broker-centos-test3)
has been established. |
org.apache.activemq.network.DemandForwardingBridgeSupport |
StartLocalBridge: localBroker=vm://static-broker-centos-test1#0
If my transportConnectors look like this:
<transportConnectors>
<transportConnector name="openwire"
uri="ssl://0.0.0.0:61616?needClientAuth=true" >
</transportConnector>
</transportConnectors>
Where does the port 41763 come from? It seems dynamic since that
port number changes as I restart the bridged brokers.
But where can I set that so that I can open up the firewall so that an
outside broker can connect to my broker?
On Wed, Aug 22, 2012 at 12:12 PM, Sean K <sk...@gmail.com> wrote:
> I have two centos machines up and running. When I disable or turn
> off iptables, the one broker can establish a transport bridge with the
> other broker on the other centos machine.
>
> I noticed that the port number being used changes -- 53033, 53067, etc..
>
> How can I configure each broker in the static network of brokers in a
> way so that I can re-enable iptables?
>
> I prefer to keep iptables running for security reasons -- not that it
> is the best security out there