[Engine-devel] Proposed change in default port numbers

Juan Hernandez jhernand at redhat.com
Tue Jul 17 18:27:44 UTC 2012 

On 07/17/2012 08:19 PM, Steve Gordon wrote:
> ----- Original Message -----
>> From: "Juan Hernandez" <jhernand at redhat.com>
>> To: "Andrew Cathrow" <acathrow at redhat.com>
>> Cc: engine-devel at ovirt.org
>> Sent: Monday, July 16, 2012 3:27:02 PM
>> Subject: Re: [Engine-devel] Proposed change in default port numbers
>>
>> On 07/16/2012 09:21 PM, Andrew Cathrow wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Juan Hernandez" <jhernand at redhat.com>
>>>> To: engine-devel at ovirt.org
>>>> Sent: Monday, July 16, 2012 2:44:40 PM
>>>> Subject: [Engine-devel] Proposed change in default port numbers
>>>>
>>>> Hello all,
>>>>
>>>> In change http://gerrit.ovirt.org/6348 I am proposing to change
>>>> the
>>>> default port numbers used by the engine, in order to avoid
>>>> conflicts
>>>> with the default ports used by JBoss.
>>>
>>> To be clear though even if we moved to use port 6090 for http and
>>> 6091 for https we'd still have 80/443 available through the
>>> installer.
>>
>> Correct, 80 and 443 will continue to be the default ports when using
>> Apache as proxy in front of JBoss:
>>
>>   80 -> 80 (no change)
>>   443 -> 443 (no change)
>>   8080 -> 6090
>>   8443 -> 6091
> 
> This is probably a stupid question, but what are the following ports used for:
> 
>>   8009 -> 6092

This port is used for the communication between the Apache web server
and the JBoss application server using the AJP protocol. It doesn't need
to be available outside of the machine.

>>   4447 -> 6093

These port is used by the remoting capability of the application server:
calling EJBs from external applications. We don't use it but it is
required anyhow. It doesn't need to be available outside of the machine.

>>   4712 -> 6094
>>   4713 -> 6095

These two ports are used by the transaction manager inside JBoss. They
don't need to be available outside of the machine.

So none of them needs a firewall rule to allow inbound traffic. I am
proposing a different change to bind those ports to the loopback address
so that they are not available even when the firewall is disabled:

http://gerrit.ovirt.org/6349

I would disable them completely, but didn't find the way to do it yet.

> As far as I know we don't have them listed anywhere in the documentation as requiring a firewall rule to allow them, should we?

They don't require a firewall rule to allow incoming traffic. We could
explain in the documentation that they are required, but only for
communications internal to the machine.

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.

More information about the Engine-devel mailing list