How to restrict Tomcat access by IP in windows 10 firewall?

Question

Now, anyone could access my tomcat via IP address. Therefore I would like to restrict it by allowing only specific IPs to access my tomcat in windows 10 firewall.

I tried to add the following inbound firewall rule, but still anyone could access my tomcat.

• Profile: All (Domain, Private, Public)
• Enabled: Yes
• Action: Allow the connection
• Override: No
• Program: Any
• Local Address: Any
• Remote Address: x.x.x.x (The allowed IPs)
• Protocol: TCP
• Local Port: 8080
• Remote Port: Any
• Authorized Users: Any
• Authorized Computers: Any
• Authorized Local Principals: Any
• Local User Owner: Any
• Application Package: Any

After some studying and testing, I suspect that one of the existing inbound firewall rule on javaw.exe take precedence over my tomcat firewall rule, which allow anyone to access my tomcat.

• Profile: Private
• Enabled: Yes
• Action: Allow the connection
• Override: No
• Program: javaw.exe
• Local Address: Any
• Remote Address: Any
• Protocol: TCP and UDP
• Local Port: Any
• Remote Port: Any
• Authorized Users: Any
• Authorized Computers: Any
• Authorized Local Principals: Any
• Local User Owner: Any
• Application Package: Any

Do I need to allow javaw.exe connection in firewall for running Tomcat? Are there any ways to enable both tomcat and javaw.exe firewall rules such that I still can restrict specific IPs to access my tomcat?

I knew that I could restrict access by setting RemoteAddrValve in tomcat server.xml, but still according to tomcat security consideration, it is better to set multiple lines of defense. Therefore I still would like to add a firewall rule in the network layer to restrict the tomcat connection. Please help, thanks!

Answer 1

You have defaults tomcat rules who give access to everybody. Windows firewall apply rules in this order:

1. GPO deny
2. GPO allow
3. local rule deny
4. local rule allow
5. finaly global rule (deny by default)

Two way to handle that:

1. create a rule that deny everybody with exception for IP selected (very complex to do that, you need to calculate [0.0.0.0 to 255.255.255.255] substracted to [my ip range]
2. remove all the rules of your Windows Firewall and then make clean rules.

I prefer to remove all the rules of the Windows Firewall and then make clean rules. For a Windows server, you will need 3389 (RDP), 445 if you use psexec and 80/443 for you http web app. If your server is joingned to a domain, you can do that via GPO with a good OU management:

If you split your OU on a role based:

OU=AllComputers
    >GPO=Allow all TCP port inbound for my admin range IP
  OU=Workstations
  OU=Laptops
  OU=Servers
    OU=Web
      >GPO=Allow 80,443 TCP port inbound for ????
    OU=Database
      >GPO=Allow 1433 TCP port inbound for everybody
    OU=TerminalServer
      >GPO=Allow 3389 TCP port inbound for everybody
    OU=DNS
      >GPO=Allow 53 TCP port inbound for everybody
    OU=FileServer
      >GPO=Allow 445 TCP port inbound for everybody

You have another solution, use SSL and set a client certificate, so only users who have the certificate can connect to the webapp:

• Tomcat Client Authentication using SSL
• https://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/