Discussion:
[tao-users] Re: how to know or restrict the ports used between corba servers and clients
(too old to reply)
Balachandran Natarajan
2003-08-23 21:26:16 UTC
Permalink
Hi
I will be needing to specify a range (a small range hopefully) of
ports to open up in a firewall
so various corba clients and servers and comm through the firewall.
I see.
I experimented a bit with just 2 computers and it seems the port
numbers are in the 30000 range
(I say some in the 32000 range and some in the 36000 range).
Hmm.. Strange. Not sure which version of ACE+TAO are you
using. Probably there could be a bug in TAO. IANA has specified port
683 for IIOP connections. TAO should atleast use that on the server. I
see code that assigns the default port to 683. Not sure why it doesn't
work for you.

Anyway, we don't have an option to control the port number to which
the clients bind to.
Is there a config file somewhere where this is specified or where I
can specify a range?
Good question. We don't have one as on date. I don't think it's too
hard to implement that. You could probably sponsor the doc_group to
implement that for you. Or you could also contact one of the
commercial support folks to implement that for you in the commercial
version of choice.


HTH

Thanks
Bala
Ossama Othman
2003-08-24 16:05:54 UTC
Permalink
Hi Bala,
Post by Balachandran Natarajan
Hmm.. Strange. Not sure which version of ACE+TAO are you
using. Probably there could be a bug in TAO. IANA has specified port
683 for IIOP connections. TAO should atleast use that on the server. I
see code that assigns the default port to 683. Not sure why it doesn't
work for you.
It's only set in the TAO_IIOP_Endpoint constructor that doesn't accept a
port, but I don't believe we use that constructor on the server side.
We always pass a port to the IIOP_Endpoint instance created by the
IIOP_Acceptor.

In any case, I don't believe that this is a bug in TAO. From what I
recall, use of port 683 by default is not required by the spec. It only
exists to provide firewall users with a known IIOP-specific port.
Besides, using port 683 by default would cause problems for non-root
users since it is a privileged port on Unix platforms.

-Ossama
--
Ossama Othman <***@dre.vanderbilt.edu>
Balachandran Natarajan
2003-08-24 16:35:15 UTC
Permalink
Ossama-

On , 24 August, 2003 at 08:59:16 -0700, Ossama Othman wrote:
[snipped]
Post by Ossama Othman
In any case, I don't believe that this is a bug in TAO. From what I
recall, use of port 683 by default is not required by the spec. It only
exists to provide firewall users with a known IIOP-specific port.
Right! I believe the question the user posted was precisely for
this. There is no way available for the user to use the IANA specified
port in TAO. This IMHO is a bug.
Post by Ossama Othman
Besides, using port 683 by default would cause problems for
non-root users since it is a privileged port on Unix platforms.
Right! But even if the server is started from root behind a firewall,
TAO would never honor the IANA specified port number, which is
probably not the right thing.

Though the user can probably enforce this by using the
-ORBEndpoint option, TAO should probably enforce this by default.

My $0.02.

Thanks
Bala
t***@gmx.de
2003-08-25 09:01:34 UTC
Permalink
Hi,

I'm a bit confused: Today a process, which has not been put to a fixed port
(with -ORBEndpoint option) listens on a random (ephemeral?) port. It would
make a big difference if it were fixed to 683. How could I start more than one
instance? I at least don't want to care always, e.g. when starting client
which impl. callback objects.

Or do I miss something, is this discussion now going about server or client
endpoint?
For server endpoints you can choose (first?) free port from a range.
Example
-ORBEndpoint iiop://***@foo:2020/portspan=30
is given in the documentation.

And regarding client side of the communication, isn't it usual not to
restrict the port of originating socket in firewalls? Usually only ports to which
connections can be made are restricted?

-Torsten
Post by Balachandran Natarajan
Ossama-
[snipped]
Post by Ossama Othman
In any case, I don't believe that this is a bug in TAO. From what I
recall, use of port 683 by default is not required by the spec. It
only
Post by Ossama Othman
exists to provide firewall users with a known IIOP-specific port.
Right! I believe the question the user posted was precisely for
this. There is no way available for the user to use the IANA specified
port in TAO. This IMHO is a bug.
Post by Ossama Othman
Besides, using port 683 by default would cause problems for
non-root users since it is a privileged port on Unix platforms.
Right! But even if the server is started from root behind a firewall,
TAO would never honor the IANA specified port number, which is
probably not the right thing.
Though the user can probably enforce this by using the
-ORBEndpoint option, TAO should probably enforce this by default.
My $0.02.
Thanks
Bala
--
COMPUTERBILD 15/03: Premium-e-mail-Dienste im Test
--------------------------------------------------
1. GMX TopMail - Platz 1 und Testsieger!
2. GMX ProMail - Platz 2 und Preis-Qualitätssieger!
3. Arcor - 4. web.de - 5. T-Online - 6. freenet.de - 7. daybyday - 8. e-Post
Jeffrey Graham
2003-08-25 15:25:48 UTC
Permalink
Everyone,
Thanks for the help. I failed to find specifically an configuration
option to specify which port a server opens up,
or to restrict the ports to some small range.

However, I did find success using the ORBEndpoint option like this for
my SERVERs:
-ORBEndPoint iiop://`hostname -s`:39000.

netstat confirms that is is working, if I managed to decipher it's
output correctly.

BTW, in case there is some issue about OS, versions,etc...
I am using the most recent ACE+TAO, RH9.0 and it's stock
compiler, and a 2.4.22-rc2 custom kernel.


I am still concerned about how this ORBEndpoint option works considering
orb policies like thread-per-connection,etc...
will they listen on the one port I specify, etc.

I am also confused by some earlier replies... won't the clients get the
specified server port and host from the naming service and use that?
Or am I missing something about what port the client will try to use?

Thanks,
Jeff
Post by Balachandran Natarajan
Ossama-
[snipped]
Post by Ossama Othman
In any case, I don't believe that this is a bug in TAO. From what I
recall, use of port 683 by default is not required by the spec. It only
exists to provide firewall users with a known IIOP-specific port.
Right! I believe the question the user posted was precisely for
this. There is no way available for the user to use the IANA specified
port in TAO. This IMHO is a bug.
Post by Ossama Othman
Besides, using port 683 by default would cause problems for
non-root users since it is a privileged port on Unix platforms.
Right! But even if the server is started from root behind a firewall,
TAO would never honor the IANA specified port number, which is
probably not the right thing.
Though the user can probably enforce this by using the
-ORBEndpoint option, TAO should probably enforce this by default.
My $0.02.
Thanks
Bala
Loading...