Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java vs. firewall: how to let Java applications have their own set of rules

Tags:

java

firewall

Let's say I have coded a Java application that requires Internet access. Usually the firewall pops up and asks whether or not this is OK. Now I have the options to generally allow Internet access or use specific rules. Since I only check a web service I'd set a rule that restricts access to exactly that server at some port.

Now I have Java application #2 that also requires Internet access. If I decided to give application #1 full access then #2 also has full access. For the solution with the rule set above I'd need to add another rule or just give up and grant full access and, therefore, also give application #1 full access.

I guess you can see what my problem is. A while ago I ran into the same situation and I tried one or two wrappers that convert a JAR into an executable. I noticed that in the end they simply launched the JVM causing the usual Java binary to open the Internet connection.

So my question is: which options do I have to allow a user to specify different firewall rules for each Java application?

EDIT: after reading the first comment I'd like to make clear that I'm not thinking about how to configure the firewall, but rather have some way that Java applications themselves have a more or less unique way of identifying themselves or have another way of handling network access.

like image 213
sjngm Avatar asked Jul 06 '11 05:07

sjngm


People also ask

How do I allow Java through my firewall?

If you have Windows defender set as your default anti virus, you may need to allow Java in Windows defender. You can do this by typing "Allow an App through Windows Firewall" into Windows search. Then when you open the program clicking Change Settings, then clicking the checkboxes next to Java(TM) Platform SE binary.

Do firewalls follow a set of rules?

Firewall Rules examine the control information in individual packets. The Rules either block or allow those packets based on rules that are defined on these pages. Firewall Rules are assigned directly to computers or to policies that are in turn assigned to a computer or collection of computers.


2 Answers

When you require is more fine grained access. Why not author a policy file and allow the security manager to govern the SocketPermissions that are allotted to your program?

http://download.oracle.com/javase/7/docs/technotes/guides/security/permissions.html.

Example below.

grant signedBy "paul" {
    permission java.net.SocketPermission "localhost:1024-", "accept, connect, listen";
};
like image 123
Deepak Bala Avatar answered Oct 05 '22 16:10

Deepak Bala


A firewall is like a semi-permeable membrane, allowing outbound but not inbound connections:

                      |
 Outside world <===== | ====== Your computer
                      |
                   Firewall [OK]


                      |
 Outside world ====== X =====> Your computer
                      |
                   Firewall [Disallowed]

One thing that you can do to get around this is to setup a proxy that is outside of the firewall that accepts inbound connections from the outside world, as well as inbound connections from your "real" server. The proxy can route the external requests to one of the inbound sockets from one of the servers:

                                   |
 Outside world ===> [Proxy] <===== | ====== Your computer
                                   |
                              Firewall [OK]

That said, without knowing your exact situation, this might not be the best design choice. For example, you might be doing something that does not really require running a server, or maybe you really do want to be running a server, but maybe should be running one on cloud computing infrastructure. It is hard to recommend an actual design without additional details as to what you wish to accomplish.

like image 35
Michael Aaron Safyan Avatar answered Oct 05 '22 18:10

Michael Aaron Safyan