You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by Sean K <sk...@gmail.com> on 2012/08/22 21:12:04 UTC

iptables and broker to broker transport

I have two centos machines up and running.   When I disable or turn
off iptables, the one broker can establish a transport bridge with the
other broker on the other centos machine.

I noticed that the port number being used changes -- 53033, 53067, etc..

How can I configure each broker in the static network of brokers in a
way so that I can re-enable iptables?

I prefer to keep iptables running for security reasons -- not that it
is the best security out there

Re: iptables and broker to broker transport

Posted by Gary Tully <ga...@gmail.com>.

you can specify a well known local port in the network connector tcp
url using a slash notation

tcp://xx:61610/xx:51610

So in the duplex case, both port 61610 and local 51610 should be open
in the firewall.

On 23 August 2012 01:41, Sean K <sk...@gmail.com> wrote:
> So if I set broker centos-test3 as a unidirectional bridge- it cannot
> be a consumer, only a producer on a queue.
>
> how does real world deployments handle data going in both directions?
>
> I can think of two ways:
>
> 1.) put the broker in a less restricted DMZ zone in a company with
> less ports blocked.
> 2.) create two sets of brokers on each side -- one companyA has
> brokerA and broker B.  Broker A is used by producer.  Broker B is used
> by consumer.   And companyB has broker C which is consumer used only
> from broker A, and has broker D which is used by producer only from
> Broker B.
>
> So, there is no way to have a duplex brokers on both sides of two
> companies with a set of ports known?
>
> SSL is already being planned to prevent spoof-ing.   But I think a
> duplex broker on both sides would be nice.
>
> Does activemq 5.6 not handle that?
>
>
>
> On Wed, Aug 22, 2012 at 5:07 PM, ceposta <ch...@gmail.com> wrote:
>> The network connector in broker 2 has duplex set to "true"
>> This will open a connection in both directions, which explains the random
>> port on broker1.
>> Can you try having uni-directional network connectors on each broker?
>>
>>
>>
>> -----
>> http://www.christianposta.com/blog
>> --
>> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
>> Sent from the ActiveMQ - User mailing list archive at Nabble.com.



-- 
http://fusesource.com
http://blog.garytully.com

Re: iptables and broker to broker transport

Posted by Sean K <sk...@gmail.com>.

So if I set broker centos-test3 as a unidirectional bridge- it cannot
be a consumer, only a producer on a queue.

how does real world deployments handle data going in both directions?

I can think of two ways:

1.) put the broker in a less restricted DMZ zone in a company with
less ports blocked.
2.) create two sets of brokers on each side -- one companyA has
brokerA and broker B.  Broker A is used by producer.  Broker B is used
by consumer.   And companyB has broker C which is consumer used only
from broker A, and has broker D which is used by producer only from
Broker B.

So, there is no way to have a duplex brokers on both sides of two
companies with a set of ports known?

SSL is already being planned to prevent spoof-ing.   But I think a
duplex broker on both sides would be nice.

Does activemq 5.6 not handle that?

On Wed, Aug 22, 2012 at 5:07 PM, ceposta <ch...@gmail.com> wrote:
> The network connector in broker 2 has duplex set to "true"
> This will open a connection in both directions, which explains the random
> port on broker1.
> Can you try having uni-directional network connectors on each broker?
>
>
>
> -----
> http://www.christianposta.com/blog
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: iptables and broker to broker transport

Posted by Sean K <sk...@gmail.com>.

If it is duplex, it is not configurable to use a certain port or specific range?

For my case, I am not 100% certain at this time whether unidirectional
will work the the business case.




On Wed, Aug 22, 2012 at 5:07 PM, ceposta <ch...@gmail.com> wrote:
> The network connector in broker 2 has duplex set to "true"
> This will open a connection in both directions, which explains the random
> port on broker1.
> Can you try having uni-directional network connectors on each broker?
>
>
>
> -----
> http://www.christianposta.com/blog
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: iptables and broker to broker transport

Posted by ceposta <ch...@gmail.com>.

The network connector in broker 2 has duplex set to "true"
This will open a connection in both directions, which explains the random
port on broker1.
Can you try having uni-directional network connectors on each broker?



-----
http://www.christianposta.com/blog
--
View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655464.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: iptables and broker to broker transport

Posted by Sean K <sk...@gmail.com>.

attached: activemq-centos-test1.xml for broker 1

attached: activemq-centos-test3.xml for broker 2.



On Wed, Aug 22, 2012 at 3:46 PM, ceposta <ch...@gmail.com> wrote:
> From your logs:
>
> sk92129 wrote
>>
>> 2012-08-22 12:58:21,363 | INFO  | Listening for connections at:
>> ssl://centos-test1.foo.com:61616?needClientAuth=true |
>> org.apache.activemq.transport.TransportServerThreadSupport | main
>>
>
> You can see from your config:
>
>
> sk92129 wrote
>>
>>         <transportConnectors>
>>             <transportConnector name="openwire"
>> uri="ssl://0.0.0.0:61616?needClientAuth=true" >
>>             </transportConnector>
>>         </transportConnectors>
>>
>
> The transport connector has been opened on the appropriate port.
>
> I wonder if what you're seeing is the outgoing port on the local machine
> that's being used to connect to the networked broker.
>
> Wanna post your network connector configs?
>
>
>
> -----
> http://www.christianposta.com/blog
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655461.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: iptables and broker to broker transport

Posted by ceposta <ch...@gmail.com>.

>From your logs: 

sk92129 wrote
> 
> 2012-08-22 12:58:21,363 | INFO  | Listening for connections at:
> ssl://centos-test1.foo.com:61616?needClientAuth=true |
> org.apache.activemq.transport.TransportServerThreadSupport | main
> 

You can see from your config:


sk92129 wrote
> 
>         <transportConnectors> 
>             <transportConnector name="openwire" 
> uri="ssl://0.0.0.0:61616?needClientAuth=true" > 
>             </transportConnector> 
>         </transportConnectors> 
> 

The transport connector has been opened on the appropriate port.

I wonder if what you're seeing is the outgoing port on the local machine
that's being used to connect to the networked broker. 

Wanna post your network connector configs?



-----
http://www.christianposta.com/blog
--
View this message in context: http://activemq.2283324.n4.nabble.com/iptables-and-broker-to-broker-transport-tp4655452p4655461.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: iptables and broker to broker transport

Posted by Sean K <sk...@gmail.com>.

Maybe this activemq.log might shed more light on this:

2012-08-22 12:58:20,497 | INFO  | ActiveMQ 5.6.0 JMS Message Broker
(static-broker-centos-test1) is starting |
org.apache.activemq.broker.BrokerService | main
2012-08-22 12:58:20,497 | INFO  | For help or more information please
see: http://activemq.apache.org/ |
org.apache.activemq.broker.BrokerService | main
2012-08-22 12:58:21,363 | INFO  | Listening for connections at:
ssl://centos-test1.foo.com:61616?needClientAuth=true |
org.apache.activemq.transport.TransportServerThreadSupport | main
2012-08-22 12:58:21,364 | INFO  | Connector openwire Started |
org.apache.activemq.broker.TransportConnector | main
2012-08-22 12:58:21,366 | INFO  | ActiveMQ JMS Message Broker
(static-broker-centos-test1,
ID:centos-test1.foo.com-35354-1345665500514-0:1) started |
org.apache.activemq.broker.BrokerService | main
2012-08-22 12:58:21,520 | INFO  | jetty-7.6.1.v20120215 |
org.eclipse.jetty.server.Server | main
2012-08-22 12:58:22,183 | INFO  | ActiveMQ WebConsole initialized. |
org.apache.activemq.web.WebConsoleStarter | main
2012-08-22 12:58:22,183 | INFO  | started
o.e.j.w.WebAppContext{/admin,file:/usr/local/activemq/apache-activemq-5.6.0/webapps/admin/}
| org.eclipse.jetty.server.handler.ContextHandler | main
2012-08-22 12:58:22,401 | INFO  | Initializing Spring FrameworkServlet
'dispatcher' | /admin | main
2012-08-22 12:58:23,458 | INFO  | ActiveMQ Console at
http://0.0.0.0:8161/admin | org.eclipse.jetty.webapp.WebAppContext |
main
2012-08-22 12:58:23,593 | INFO  | started
o.e.j.w.WebAppContext{/demo,file:/usr/local/activemq/apache-activemq-5.6.0/webapps/demo/}
| org.eclipse.jetty.server.handler.ContextHandler | main
2012-08-22 12:58:23,630 | INFO  | ActiveMQ Web Demos at
http://0.0.0.0:8161/demo | org.eclipse.jetty.webapp.WebAppContext |
main
2012-08-22 12:58:23,698 | INFO  | started
o.e.j.w.WebAppContext{/fileserver,file:/usr/local/activemq/apache-activemq-5.6.0/webapps/fileserver/}
| org.eclipse.jetty.server.handler.ContextHandler | main
2012-08-22 12:58:23,735 | INFO  | RESTful file access application at
http://0.0.0.0:8161/fileserver |
org.eclipse.jetty.webapp.WebAppContext | main
2012-08-22 12:58:23,822 | INFO  | Started
SelectChannelConnector@0.0.0.0:8161 |
org.eclipse.jetty.server.AbstractConnector | main
2012-08-22 13:01:23,657 | INFO  | Connector
vm://static-broker-centos-test1 Started |
org.apache.activemq.broker.TransportConnector | ActiveMQ Transport:
ssl:///192.168.10.103:41763
2012-08-22 13:01:23,711 | INFO  | Started responder end of duplex
bridge NC@ID:centos-test3.foo.com-40357-1345665680599-0:1 |
org.apache.activemq.broker.TransportConnection | ActiveMQ Transport:
ssl:///192.168.10.103:41763
2012-08-22 13:01:23,732 | INFO  | Network connection between
vm://static-broker-centos-test1#0 and
ssl://centos-test3.foo.com/192.168.10.103:41763(static-broker-centos-test3)
has been established. |
org.apache.activemq.network.DemandForwardingBridgeSupport |
StartLocalBridge: localBroker=vm://static-broker-centos-test1#0


If my transportConnectors look like this:

       <transportConnectors>
            <transportConnector name="openwire"
uri="ssl://0.0.0.0:61616?needClientAuth=true" >
            </transportConnector>
        </transportConnectors>


Where does the port 41763 come from?   It seems dynamic since that
port number changes as I restart the bridged brokers.

But where can I set that so that I can open up the firewall so that an
outside broker can connect to my broker?







On Wed, Aug 22, 2012 at 12:12 PM, Sean K <sk...@gmail.com> wrote:
> I have two centos machines up and running.   When I disable or turn
> off iptables, the one broker can establish a transport bridge with the
> other broker on the other centos machine.
>
> I noticed that the port number being used changes -- 53033, 53067, etc..
>
> How can I configure each broker in the static network of brokers in a
> way so that I can re-enable iptables?
>
> I prefer to keep iptables running for security reasons -- not that it
> is the best security out there