Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: SQL*Net connection thru a firewall

Re: SQL*Net connection thru a firewall

From: Billy Verreynne <vslabs_at_onwe.co.za>
Date: 1997/10/15
Message-ID: <01bcd7e2$32776f00$ba030059@billyv.vslabs.co.za>#1/1 







Phil Herring <revdoc_at_uow.edu.au> wrote in article
<61rrlj$l1h$1_at_wyrm.its.uow.edu.au>...


> From netstat on our server (hostnames altered to protect the innocent):

> emperor.35980         foobar.uow.edu.au.1293  8293      0  8760      0


 ESTABLISHED


> ^^^^^^^^^^^^^






Netstat usually only shows client connections on Unix - this means that
"port" 35980 is emperor's client handle and it's connected to foobar on
port 1293. I've never seen the reverse, i.e. a server connection to the
client on a "random port". 



For a random connection to occur, the client or server first have to
negotiate the random port connection on a well-known port. In either case,
there should have been an entry in netstat as follows:



e.g.


foobar.uow.edu.au.1293  emperor.35980            8293      0  8760      0
ESTABLISHED



emperor.35980           foobar.uow.edu.au.35780  8293      0  8760      0
ESTABLISHED


foobar connects to emperor on port 35980 (1st line), or emporer initiates
connection to foobar on port 35780 (2nd line). Both these connections
should fail through a firewall as both these ports are not "valid/standard"
ports. 



A good example is DCC (direct client chat) protocol used with IRC (port
6667). When initiating DCC from an IRC client, the client 1 sends a private
message to the other IRC client 2, requesting a direct connection on a
random IP port (e.g. 3456). The private message goes thru ok as it send on
port 6667 to the IRC server which echos it only to client 2. 



The client 2 now acts as a little server and starts to listen on port 3456
for a connection from client 1. However, as soon as the 1st client attempts
to connect to the 2nd client on port 3456, the firewall denies the 1st
client access to the internet as it's trying to use a closed firewall port.




Thus, as soon as either the Oracle Server or Client attempts to connect to
a "random" port via a firewall, the firewall will deny connection access.
However, I've never seen Oracle client-server connections on any port but
the port(s) specified in the listener. Opening the listener port(s) on a
firewall without proxy authentication will allow an Oracle client-server
connections.




Malgorzata Roos <groos_at_amath.unizh.ch> disagreed with me saying:

---
I disagree - these details depend on further settings, such as
- MTS settings in the server side init*.ora, listener.ora
- using "server = dedicated" in the client side tnsnames.ora
  (this will usually cause "simpler", i.e. "firewall-friendly" behaviour)
--

I'm not familiar the MTS settings, but the default Oracle behaviour to my
knowledge does not include server or client initiated random port
connections. So I assume that my experience is with the simpler/default
"firewall-friendly" behavior of Oracle. :-)

regards,
Billy


Received on Wed Oct 15 1997 - 00:00:00 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US