Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: database in firewall
Sybrand Bakker <sybrandb_at_hccnet.nl> wrote:
> On Sun, 19 Sep 2004 09:13:27 +0200, Eberhard Niendorf
> <eberhard.niendorf_at_epost.de> wrote:
>
>>Port redirection takes place not at all, it depends on the platform. On >>Unix it takes place only for shared server (MTS) or access per SSL. If the >>server runs on a Unix platform and no MTS, no SSL, then there are no port >>redirection and the firewall have to pass only the configured destination >>port
It is definiteley true, there are no port redirection if the oracle server
runs on *Unix*, unless MTS,SSL. I mean with port redirection that the
destination port number of the oracle server process after a successful
client connection is the same as the port number of the oracle listener. I
know that a lot of people believe on the myth of port redirection on Unix.
Eventually one can read this myth in some docs, and if the oracle sqlnet
trace shows the word "redirected", this must not be right or has another
meaning.
On Unix there are no needs of port redirection because of the fork call. And
oracle uses this mechanism on every Unix, I would say, definitely on Linux
and Solaris. If oracle runs on an Linux server try the following on this
machine:
strace -ff -o <tracefile> -p <pid of the listener>
make a sqlnet-connetion from an oracle client from another machine.
Now you can interrupt the strace.
Now one can see 3 tracefiles!
The 1. tracefile shows a fork. The 2. tracefile is very short, it seams do
do only some checks and do another fork and the parent exits gracefully.
The 3. tracefile calls via *execve* $ORACLE_HOME/bin/oracle with the name
of oracle<SID>. And this is the oracle server process with which the client
is connected. This is a typical behavior how one implement a TCP/IP server
on unix. If one looks more precise into the trace files one can identify
the same filepointer number in the 3. tracefile for read/write as the one
from the established TCP/IP connection. And there is no close before the
fork call.
But why so complicated, the result is very easy to see on the server machine
with the folling cammands
netstat -np --inet
lsof -I@<tcp/ipadress>:<port>
And one can rely on this output!!!
> The alternative is making sure use_shared_sockets=true (applies to
> both NT and Unix) *HOWEVER* doing so, if you shutdown the listener you
> will also break all current connections.
On Unix there are no use_shared_socket parameter. On NT/Win2000 this should
be a registry entry, I've read. On Unix there are no comparable, and no
necessity.
Ok, well to know that using use_shared_socket on NT/Win has the behavior of
break ..., but I've no experience on Win.
Eberhard Received on Mon Sep 20 2004 - 05:09:57 CDT