In the past weeks I had to stick around with outbound and inbound firewall rules. Firewalls are sometimes a real pain in the ass, but if you observe some rules, it should be possible to generate a working ruleset.
One important thing when configuring a firewall is to know which network hosts are connecting to the protected host (inbound rules) and to which hosts the protected host connects itself (outbound rules).
Very usefull tools for linux here are
netstat and
lsof. With that tools you can find out, what is connected to an tcp-port and which outgoing connections there are.
With netstat, you can see what services are listening on which networking interface. For example, if you have a weblogic server running on ports 7001 (AdminServer) and 7002 (managed_server0) on a specific networking device you will get something like that:
[root@linux ~]# netstat -tnlp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.20:7001 0.0.0.0:* LISTEN 22451/java
tcp 0 0 192.168.0.20:7002 0.0.0.0:* LISTEN 22493/java
Of course you will also see some open ports for sshd and so on.
Now if you want to know what process is behind a open port you can use ps in combination with grep.
[root@linux ~]# ps -ef | grep 22493
wluser 22493 6937 3 19:23 ? 00:20:13 /opt/oracle0/mwh/jrockit/bin/java -jrockit -Xms256m -Xmx1024m -Dweblogic.Name=managed_server0 -Djava.security.policy=/opt/oracle0/mwh/wlserver_10.3/server/lib/weblogic.policy -Dweblogic.ProductionModeEnabled=true -Dweblogic.security.SSL.trustedCAKeyStore=/opt/oracle0/mwh/wlserver_10.3/server/lib/cacerts -Dweblogic.ProductionModeEnabled=true -da -Dplatform.home=/opt/oracle0/mwh/wlserver_10.3 -Dwls.home=/opt/oracle0/mwh/wlserver_10.3/server -Dweblogic.home=/opt/oracle0/mwh/wlserver_10.3/server -Dcommon.components.home=/opt/oracle0/mwh/oracle_common -Djrf.version=11.1.1 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Ddomain.home=/opt/oracle0/projects/domains/domain0 -Djrockit.optfile=/opt/oracle0/mwh/oracle_common/modules/oracle.jrf_11.1.1/jrocket_optfile.txt -Doracle.server.config.dir=/opt/oracle0/projects/domains/domain0/config/fmwconfig/servers/AdminServer -Doracle.domain.config.dir=/opt/oracle0/projects/domains/domain0/config/fmwconfig -Digf.arisidbeans.carmlloc=/opt/oracle0/projects/domains/domain0/config/fmwconfig/carml -Digf.arisidstack.home=/opt/oracle0/projects/domains/domain0/config/fmwconfig/arisidprovider -Doracle.security.jps.config=/opt/oracle0/projects/domains/domain0/config/fmwconfig/jps-config.xml -Doracle.deployed.app.dir=/opt/oracle0/projects/domains/domain0/servers/AdminServer/tmp/_WL_user -Doracle.deployed.app.ext=/- -Dweblogic.alternateTypesDirectory=/opt/oracle0/mwh/oracle_common/modules/oracle.ossoiap_11.1.1,/opt/oracle0/mwh/oracle_common/modules/oracle.oamprovider_11.1.1 -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.jdbc.remoteEnabled=false -DEPM_ORACLE_HOME=/opt/oracle0/mwh/bip0 -DHYPERION_HOME=/opt/oracle0/mwh/bip0 -DEPM_ORACLE_INSTANCE=novalue -Dhyperion.home=/opt/oracle0/mwh/bip0 -DEPM_REG_PROPERTIES_PATH=/opt/oracle0/projects/domains/domain0/config/fmwconfig -Depm.useApplicationContextId=false -Doracle.biee.search.bisearchproperties=/opt/oracle0/mwh/bip0/bifoundation/jee/BISearchConfig.properties -Dweblogic.management.clearTextCredentialAccessEnabled=true -Doracle.notification.filewatching.interval=2000 -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.SSL.enableJSSE=true -Dfile.encoding=utf-8 -Duser.language=en -Duser.region=US -Dxdo.server.config.dir=/opt/oracle0/projects/domains/domain0/config/bipublisher -DXDO_FONT_DIR=/opt/oracle0/mwh/bip0/common/fonts -Dem.oracle.home=/opt/oracle0/mwh/oracle_common -Djava.awt.headless=true -Dweblogic.management.discover=true -Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=false -Dweblogic.ext.dirs=/opt/oracle0/mwh/patch_wls1035/profiles/default/sysext_manifest_classpath:/opt/oracle0/mwh/patch_ocp360/profiles/default/sysext_manifest_classpath -Djava.io.tmpdir=/opt/oracle0/tmp -da -Dplatform.home=/opt/oracle0/mwh/wlserver_10.3 -Dwls.home=/opt/oracle0/mwh/wlserver_10.3/server -Dweblogic.home=/opt/oracle0/mwh/wlserver_10.3/server -Dcommon.components.home=/opt/oracle0/mwh/oracle_common -Djrf.version=11.1.1 -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Ddomain.home=/opt/oracle0/projects/domains/domain0 -Djrockit.optfile=/opt/oracle0/mwh/oracle_common/modules/oracle.jrf_11.1.1/jrocket_optfile.txt -Doracle.server.config.dir=/opt/oracle0/projects/domains/domain0/config/fmwconfig/servers/managed_server0 -Doracle.domain.config.dir=/opt/oracle0/projects/domains/domain0/config/fmwconfig -Digf.arisidbeans.carmlloc=/opt/oracle0/projects/domains/domain0/config/fmwconfig/carml -Digf.arisidstack.home=/opt/oracle0/projects/domains/domain0/config/fmwconfig/arisidprovider -Doracle.security.jps.config=/opt/oracle0/projects/domains/domain0/config/fmwconfig/jps-config.xml -Doracle.deployed.app.dir=/opt/oracle0/projects/domains/domain0/servers/managed_server0/tmp/_WL_user -Doracle.deployed.app.ext=/- -Dweblogic.alternateTypesDirectory=/opt/oracle0/mwh/oracle_common/modules/oracle.ossoiap_11.1.1,/opt/oracle0/mwh/oracle_common/modules/oracle.oamprovider_11.1.1 -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.jdbc.remoteEnabled=false -DEPM_ORACL
OK, now you know what process runs the port. Now you can use
lsof to determine which connections there are to and from the specified tcp-port.
[root@linux ~]# lsof -i tcp:7002
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
java 22493 wluser 290u IPv4 61184208 TCP localhost:7002->clusterpartner1:55879 (ESTABLISHED)
java 22493 wluser 303u IPv4 61184159 TCP localhost:7002->clusterpartner1:35736 (ESTABLISHED)
java 22493 wluser 382u IPv4 61189759 TCP localhost:7002->clusterpartner1:55955 (ESTABLISHED)
java 22493 wluser 386u IPv4 61170023 TCP localhost:7002->localhost:54803 (ESTABLISHED)
java 22493 wluser 389u IPv4 61170863 TCP localhost:7002 (LISTEN)
java 22493 wluser 390u IPv4 61170864 TCP
java 22493 wluser 398u IPv4 61170992 TCP localhost:7002->localhost:54793 (ESTABLISHED)
java 22493 wluser 399u IPv4 61171023 TCP localhost:7002->localhost:54799 (ESTABLISHED)
java 22493 wluser 400u IPv4 61184168 TCP localhost:7002->clusterpartner1:35773 (ESTABLISHED)
java 22493 wluser 401u IPv4 61171039 TCP localhost:7002->localhost:54903 (ESTABLISHED)
java 22493 wluser 405u IPv4 61189776 TCP localhost:7002->clusterpartner1:55993 (ESTABLISHED)
You can see my Managed Server (PID 22493) has some ingoing and outgoing connections to it's clusterpartner. So you can get an idea of which ports are needed and should be opened in local firewall.