Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle and SqlNet behind a firewall

Re: Oracle and SqlNet behind a firewall

From: Michael S. Siebert <michael_siebert_at_pipeline.com>
Date: Fri, 21 Jul 2000 09:33:56 -0400
Message-Id: <10565.112634@fatcity.com>


I had the same issue when trying to go through an Axent application proxy firewall. I got around it by adding a registry setting. See note 66382.1 on MetaLink, or do a search on USE_SHARED_SOCKET. I've included an excerpt from the note that should help.

Regards,

Michael Siebert
Solutions Consulting, LLC
www.scglobal.com

<SNIP>
(ii) The second way to resolve this issue is to upgrade the server to 8.0.x

       and use the USE_SHARED_SOCKET parameter in the registry. With this
       method, it doesn't matter what kind of firewall you have. The syntax
       for this parameter is:

           USE_SHARED_SOCKET = TRUE

       Place the parameter in the registry under HKEY_LOCAL_MACHINE:Software:
       Oracle

       Restart Oracle and the listener for the parameter to take effect.

       Here's how USE_SHARED_SOCKET works. The listener binds and creates a
       socket on the address specified in the "listener.ora" file.  On this
       socket, there is a LISTEN state active that is used by the listener.
       When a new connection comes in to the listener, the listener spawns an
       Oracle thread on the listening port (i.e. 1521). This happens over and
       over again so that you have a listener and several established
       connections using port 1521. Pictorially this scenario would look like
       this:

                      +---<O>--------<O>----<O>---<O>--+

| |
| This square represents <O>
| a listening socket for |
| port 1521. |
<O> |
| <O> = oracle thread <O>
| <L> = listener |
| |
+-<O>-------<L>--<O>------<O>----+ The operating system then does a poll() or a select() on the socket to test for any data. If any of the threads have data, a signal handler is used to contact the application and inform it of the new data. The disadvantage of USE_SHARED_SOCKET is that if the listener shuts down, all connections are dissolved.

</SNIP>

"VanderMey, Bob" wrote:

> Dan,
>
> Our security guys complained about the same thing.  When I looked into it, I
> couldn't figure out how to limit the outbound ports.  The problem is that
> the listener uses port 1521 (or another of your choice) but then hands off
> to the database.  The database then picks a port to use when talking to the
> client.  The best I could come up with at the time, wasz to have the
> security guys see which ports were being used (they all stay within a
> certain range) and then open up a range of ports somewhat lower and higher
> than those being used.
>
> If you do figure this out, please let me know what you did.
>
> Bob VanderMey
> Oracle DBA
> OrderZone.com, Inc.
> 847 573-2687
> bvandermey_at_orderzone.com
> 565 Lakeview Parkway, Suite 250
> Vernon Hills, IL 60061
> http://www.orderzone.com
>
> -----Original Message-----
> Sent: Thursday, July 20, 2000 4:08 PM
> To: Multiple recipients of list ORACLE-L
>
> Just put our first NT server with Oracle 8.0.5 and Net8 behind a firewall.
>
> The security guys are complaining because all the inbound traffic goes in
> through port #1521, but the outbound traffic is using multiple and random
> ports.
> They don't like this.
>
> Anybody know anything about this?
>
> --
> Author:
>   INET: Dan.Hubler_at_midata.com
>
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).
>
> --
> Author: VanderMey, Bob
>   INET: BVanderMey_at_OrderZone.com
>
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
Received on Fri Jul 21 2000 - 08:33:56 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US