mfirewall | User-space firewall for Solaris |
With MxG2000 2.11, Murex steers away from the "old-style" ECN drivers interfacing directly to a RTI/deal import session, and towards the "new-style" drivers talking to an MxML workflow. This gives new flexibility in handling all kind of mappings (traders, product, portfolios and so on), at a slightly higher cost of maintenance.
In case you need to deploy these drivers in your environment where a firewall is utilized to seperate your Murex servers from the client that is running the market's native software (e.g. like when running the drivers directly on an Eurex MISS, or an EBS client), you may face some problems.
As the new drivers will be started from their dedicated launcher, you may need to put it, together with an XML server and XML hub, on the separate machine into an dedicated site. The MxG2000 architecture covers this quite easily, and even allows to use SOAP (with the SOAP bridge) or HTTP transport rather than RMI.
When you configure your sites and inter-site communication in the site matrix, you can direct the architecture to use specific TCP ports, and this in turn makes your security officer happy as a discrete set of ports can be enabled instead of opening up all TCP communication or largish port ranges between the hosts.
Now as you live in a unfriendly environment and your security officer might be a bit paranoid anyway, usually packets are dropped instead of rejected. Discussing this feature with him/her may turn out to be a bit cumbersome.
This may seem not such of a problem...
But: parts of the XML server code does not care about the site matrix, and routing information given there is considered a hint, not mandatory. Consequently, it keeps on talking directly to the remote site, and quite frequently you will see. Your routing information is only used as a fallback.
This of course makes your security officers not very happy as it fills their log files and eventually triggers even alarms or automatic counter-measures. And it won't make you happy either, because what you will experience is a longish delay on any operation that involves querying services from the XML server:
What to do?
Just deploy your very own user-space firewall!
This is where this little piece of software kicks in: Just forbid the questionable processes to contact certain hosts on certain TCP ports.
This works by intercepting any call to certain network-related functions, and passing or rejecting connections based upon a simple rule. The mechanism utilized is a feature of the shared linker ld.so called LD_PRELOAD (environment variable), it works by pre-loading a shared library before other (the systems') libraries are loaded.
The rules are also set as environment variables as follows:
An example? Consider you have a telnet daemon enabled on your local machine:
env LD_PRELOAD=libmfirewall.so \ MFIREWALL_ADDR="127.0.0.1" MFIREWALL_PORTS="23" MFIREWALL_DEBUG=1 \ telnet localhost Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Verbindungsaufbau abgelehntThis little example prevents connections to the local telnet daemon, only for that particular running telnet client. Any other program on the same machine would have succeeded at that time.
For Murex, just put this block into your launchmxj.app script:
########################################## # MR: Workaround for timeouts during communication via firewall # The java start line is prepended by this setting where necessary ########################################## MFIREWALL_SETTINGS="" # Eurex MISSes side as seen from Murex if [ "$env" = "xxxx" ]; then MFIREWALL_SETTINGS="env LD_PRELOAD=lib/libmfirewall.so \ MFIREWALL_ADDRS=1.2.3.4,1.2.3.5 \ MFIREWALL_PORTS=4711,4712" #MFIREWALL_SETTINGS="$MFIREWALL_SETTINGS MFIREWALL_DEBUG=1" fi # Murex side as seen from Eurex MISSes if [ "$env" = "yyyyy" ]; then MFIREWALL_SETTINGS="env LD_PRELOAD=lib/libmfirewall.so \ MFIREWALL_ADDRS=10.1.2.3,10.1.2.4,10.1.2.5 \ MFIREWALL_PORTS=7777,8888,9999" #MFIREWALL_SETTINGS="$MFIREWALL_SETTINGS MFIREWALL_DEBUG=1" fi # override the setting: disable the workaround #MFIREWALL_SETTINGS=""and where necessary, prepend the Java call to the respective launchers with ${MFIREWALL_SETTINGS} :
$_ECHO "Java cmd:\n$JAVA_CMD\n" >>$LOG_PATH/$LOG_FILE.log ${MFIREWALL_SETTINGS} \ $JAVA_CMD 2>&1 | $_TEE -a $LOG_PATH/$LOG_FILE.log &
Of course, this little software may come handy for other situations as well.
In any case, I'd like to hear from you if it solved your problem, so please drop me a note if you successfully deployed this software, or if you have any further questions.
This is the tarball with the source code and precompiled binaries for Solaris 8: