Subsonic Forum

[daniell]

Have just setup Astaro Security Gateway 8 on a spare server, have port forward port 4040 to my Subsonic.
Now the question !! What other ports do i have to Port Forward than TCP 4040.. I know jetty use some ports on Ipv6..


Thank's

[Kirk]

I don't do anything with IPv6 but as far as I know you've already forwarded the only port you should have to forward...

Cheers,
Kirk

[daniell]

Well, the Astaro project is not completed yet, stil on test state, but it will not allow access to the Subsonic. Even if the 4040 ports are open, port forward.
As i mention, the java jetty do use some ports on Ivp6, but which ??
I beleve it's the nessesary Ipv6 ports who is blocked from Astaro Sequrity gateway..
Thnks

[delcypher]

Jetty is a webserver it shouldn't need access to any other port than the hosting port. Needing additional ports would just be silly.

Why would using IPv6 matter? I can't find anything in Jetty's documentation that mentions this.

I believe Astaro is linux based. Have you checked that subsonic is allowed by /etc/hosts.allow & /etc/hosts.deny (read the man pages, I'm not sure if they will have an affect).

You may also have a very strict iptables rule in place preventing access.

You can run the following to see what chains you have in place.

Code: Select all

iptables -t nat -L

also check

Code: Select all

iptables -t filter -L

[/url]

[daniell]

Thanks delcypher

I run the isof command, look at this..

lsof -i -n -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2358 root 3u IPv6 7696 TCP *:xxxx (LISTEN)
java 2376 root 64u IPv6 8518 TCP *:4040 (LISTEN)
java 2376 root 65u IPv6 8528 TCP *:9412 (LISTEN)
java 2376 root 66u IPv6 8529 TCP *:37848 (LISTEN)
smbd 2438 root 20u IPv4 7974 TCP *:445 (LISTEN)
smbd 2438 root 21u IPv4 7975 TCP *:139 (LISTEN)

No other web apps services is running !!

[delcypher]

I checked my install and I noticed that subsonic was listening on other ports

I ran netstat -lpn

I found java (so presumably subsonic) on ports 4040, 9412 & 52753

4040 - web port
9412 - According to subsonic_sh.log is the RMI service (http://www.javacoffeebreak.com/articles/javarmi/javarmi.html)
52753 - I've no idea what port this is I couldn't get a responce using nc.

Maybe we should speak to Sindre about those ports are used for as I didn't know about this before and I would be quite interested in what they are used for.

If we're being paranoid then we can prevent any access to these ports with the following iptables command (note this is only for port 9412).

Code: Select all

iptables -t filter -A INPUT -p tcp --dport 9412 -j REJECT

To remove this rule run the following command

Code: Select all

iptables -t filter -D INPUT -p tcp --dport 9412 -j REJECT

To see what rules are in place in the filter table run the following command

Code: Select all

iptables -t filter -L

lsof & netstat will still show that those programs are listening but if you or someone on your network tries to connect to it they will get a connection refused message.

I've tried blocking ports 9412 and 52753 using the above iptables rules and subsonic still "seems" to be working so your problem probably lies elsewhere.

Hope this helps.

[daniell]

Yes, I agree, maybe Sindre could tell us about these ports/port service activities on the IPV6..

This is another port I belive Subsonic is using in some way on IPV6 ?
java 2376 root 66u IPv6 8529 TCP *:37848 (LISTEN)

[sindre_mehus]

Hi,

Port 9412 is used for RMI communication between the Subsonic server and the Subsonic agent (tray icon). 52753 (or whatever) is probably an ephemeral port also used by the RMI connection.

[posern]

Port 9412 is used for RMI communication between the Subsonic server and the Subsonic agent (tray icon). 52753 (or whatever) is probably an ephemeral port also used by the RMI connection.

Is there a way to disable RMI ? - Because as I am not using any tray icon.
Or is there a way to have java bind these RMI ports only on interface 127.0.0.1 or a custom interface ?
(there seems to be no evident way to achieve this)

Thanks a lot in advance!