Oracle-L: Re: Oracle and Firewall

From: Arup Nanda <orarup_at_hotmail.com>
Date: Fri, 21 Nov 2003 08:49:40 -0800
Message-ID: <F001.005D770B.20031121084940@fatcity.com>

Seema,

This is a typical misconception on the workings of Net8. Port 1521 is only used to contact the listener, after that the listener might:

create a server process which listens on a port other than 1521 OR
pass the connection to a prespawned server process, again on a different port.

The new port could be 1034, for example. The client process is then notified that the server process is listening on port 1034 and the client process then starts communicating through the new port.

Therefore what you see is normal. In fact it is the biggest proble in building a firewall around the database server; it just have to have too many ports (and mostly unpredictable) open. Here are a few options:

(1) use firewall around the subnet where both app/web server and db server exist; not a firewall between them.
(2) Use TCP Node checking to restrict Net8 traffic to the db server only from the app server.
(3) Use Connection Manager. USing CM, known ports are used for communication, typically 1630 and 1631 (or is it 1634?) and only those can be opened up for connection.
(4) Use Shared Servers. The connectiosn pass through the dispatchers. Since the ports used by them can be known, those ports can be opened up. (5) Use SSH redirection.
(6) Use a commercial firewall product that can perform proxy-redirection, which preserves the port number in all established connections, even though actual ports used may be different.

If anyone has any more options, I would love to know.

HTH. Arup

Original Message ----- To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com> Sent: Friday, November 21, 2003 10:59 AM

> Hi,
> We are using Oracle817 on Windows with netscreen firewall.I have been
> noticing after some times applications start connecting form 1521 to 1034
> and so.IS this normal ?I want port 1521 Only in use. How to fix this
> problem?
> thx
> -Seema
>
> _________________________________________________________________
> Gift-shop online from the comfort of home at MSN Shopping! No crowds,
free
> parking. http://shopping.msn.com
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.net
> --
> Author: Seema Singh
> INET: oracledbam_at_hotmail.com
>
> Fat City Network Services -- 858-538-5051 http://www.fatcity.com
> San Diego, California -- Mailing list and web hosting services
> ---------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Arup Nanda
  INET: orarup_at_hotmail.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Received on Fri Nov 21 2003 - 10:49:40 CST