[Mulgara-dev] [Topaz-dev] connecting to mulgara on remote server requires allowing connections to a random high port

Amit Kapoor amitkapoor at mindspring.com
Tue Apr 22 20:52:25 UTC 2008 

Hi Russ,

    I am going to take a guess at what is going on and let others with more
    technical knowledge correct me. I believe it is a inherent limitation in
    Mulgara right now, and think it should not be too hard to fix.

    I think the basic problem is Mulgara registering its 'server object' using
    an anonymous port with the RMI registry and an administrator not knowing
    this cannot configure that specific port on the firewall.

On Tue, Apr 22, 2008 at 12:48:40PM -0700, Russell Uman wrote:
> running mulgara on branch server, ambra locally.
> 
> [root at sfweb02 WEB-INF]# /etc/init.d/mulgara status
> mulgara (30571) is running from /usr/local/topaz/mulgara
>   PID USER       RSS %MEM     ELAPSED     TIME %CPU COMMAND
> 30571 topaz    128616  6.6      22:57 00:00:10  0.7 java
> java    30571 topaz    5u  IPv6 3719905       TCP *:53773 (LISTEN)

    This is the Mulgara RMI server object. I believe Mulgara is asking the OS
    to assign it a port and gets one at random.

> java    30571 topaz    8u  IPv6 3719907       TCP *:21212 (LISTEN)
> java    30571 topaz   10u  IPv6 3719911       TCP *:1099 (LISTEN)

    RMI Registry port. This has to be open via iptables, if you want other
    machines to have access to Mulgara.

> java    30571 topaz  128u  IPv6 3720176       TCP *:35791 (LISTEN)
> java    30571 topaz  129u  IPv6 3720177       TCP 127.0.0.1:6789
> (LISTEN)
> 
> i get the following errors in ambra.log when i try to start ambra:
> 
> WARN  [main] WebAppListenerInitModels - bootstrap of models failed
> org.topazproject.otm.OtmException: Error talking to
> 'rmi://sfweb02.plos.org/topazproject'
> Caused by: org.mulgara.connection.ConnectionException: Unable to connect
> to a server
> Caused by: org.mulgara.server.driver.SessionFactoryFinderException:
> Couldn't create session factory for rmi://sfweb02.plos.org/topazproject
> Caused by: java.net.NoRouteToHostException: No route to host: connect

    Ambra looks up Mulgara from the RMI registry at port 1099 and gets back the
    object at port 53773.

> i opened up tcpdump to see what was going on:
> 
> 12:26:53.003432 IP 10.135.1.11.1099 > 10.135.2.75.1191: . ack 81 win
> 5840
> 12:26:53.004408 IP 10.135.1.11.1099 > 10.135.2.75.1191: P 19:252(233)
> ack 81 win 5840
> 12:26:53.038449 IP 10.135.2.75.1192 > 10.135.1.11.53773: S
> 3355006600:3355006600(0) win 65535 <mss 1460,nop,nop,sackOK>
> 12:26:53.038470 IP 10.135.1.11 > 10.135.2.75: ICMP host 10.135.1.11
> unreachable - admin prohibited, length 56
> 
> well, i hadn't opened iptables for port 53773, so no wonder.

    Tries to connect and is rejected by iptables.

> after disabling iptables, ambra is able to connect to the mulgara server
> on branch.

    Yup.

> this isn't good practice from a security standpoint, and i'm
> disappointed to see it creeping back in (we already require a completely
> open firewall between mulgara and ambra to allow ehcache traffic between
> mulgara and ambra: http://www.topazproject.org/trac/ticket/775)
> 
> is there any way to fix this with rmi?

    I think there are two ways:

    1. iptables (or a proxy) is able to sniff the randomly assigned port in the
       return data from the RMI registry and opens that to the world. I did a
       google search and did not find anything here. Maybe others on the list
       know of a better solution.

    2. Mulgara fixes the port it allocates to the server object registered with
       the RMI registry. Looks like fairly simple to do with
       UnicastRemoteObject, but not knowing Mulgara code I don't know if there
       is a catch here. Ronald, Paul, Andrae?

    regards

Amit

More information about the Mulgara-dev mailing list