RabbitMQ ports

[kris kris]

Hello, 

I use RabbitMQ in my applications and I have a few questions.

When I run my application I see that RabbitMQ  uses different local ports from some random range of ports every time, but remote port is always equal to 5672:

I'm trying to create rules in the firewall for local ports and this is a problem for me.

Can I specify a range of values for local port?

Can I use one (stable) value for local port or  theres hould be a specific range?

In case RabbitMQ is installed on a remote machine should I configure some specific firewall rules? 

Any help is appreciated.

Thanks in advance.

[Yong Hua Peng]

You need to read this section carefully.
https://www.rabbitmq.com/networking.html

regards.

[kris kris]

I read it carefully, but I don't have an answer for my question.

As I understand it, when a RabbitMQ client opens a connection, it takes the first free port from the ephemeral ports.
Can I specify a port range for RabbitMQ client?

[Yong Hua Peng]

If your clients are AMQP/MQTT client libraries, they use the stable
ports from rabbitmq server. please see:
https://www.rabbitmq.com/networking.html#ports

regards.

[kris kris]

Thanks for your answer,  Yong Hua Peng.

But when I open RabbitMQ admin panel I see that ephemeral ports were consumed by clients:

regards.

[Michal Kuratczyk]

That's just how TCP works. Firewall rules usually just ignore the source port because as you noticed - they are unpredictable and generally don't matter.

Best,

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a0f44fa0-a32d-4d30-ae8d-3bd46682011dn%40googlegroups.com.

--

Michał

RabbitMQ team

[kris kris]

As I understand, clients also receives messages from RabbitMQ server. And that means that we need to open all this ports for incoming connections. So, it looks like I need to create  inbound rules and specify this range as local ports. 

[Michal Kuratczyk]

No, the clients initiate the connections - RabbitMQ never does. So as long as you allow inbound connections to 5671/5672 from any source port (and don't block server response), you are good.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/cb9cc4c2-39e8-4050-8fea-10bf75d9eff2n%40googlegroups.com.

--

Michał

RabbitMQ team

[kris kris]

I don't understand how it works. 
I have two computers: the first one has my applications installed and the second one is running RabbitMQ.
I've created an inbound rule in the first computer to block all incoming traffic for ports 30000-60000.

As I see it, the client initiates a connection from 172.20.37.2:59948 to 172.20.44.55:5672, but client also receive messages from the server. And as I can see the client receive responses to port #59948. So, I wondering why incoming traffic was not blocked by firewall, since according to the documentation inbound rule  should blocks all incoming traffic.

[Michal Kuratczyk]

1. This has nothing to do with RabbitMQ as such - you'll find more info about these topics in TCP/IP and firewall documentation/forums

2. Firewalls usually only care about the connection initiation and will allow traffic on that connection later on. So if the client connected to RabbitMQ on port 5672 and that was accepted by the firewall, everything else is just traffic on that connection. What you are blocking with your rule is that RabbitMQ server cannot initiate any connections to the other machine but it never does that anyway.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/465ba477-d9d9-456c-89cf-3fd4150ee827n%40googlegroups.com.

--

Michał

[kris kris]

Thanks for your answer, Michał.

I think I understand how it works.