Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: database in firewall

Re: database in firewall

From: Eberhard Niendorf <eberhard.niendorf_at_epost.de>
Date: Mon, 20 Sep 2004 12:09:57 +0200
Message-ID: <cim9pd$taq$01$1@news.t-online.com>


Sybrand Bakker <sybrandb_at_hccnet.nl> wrote:

> On Sun, 19 Sep 2004 09:13:27 +0200, Eberhard Niendorf
> <eberhard.niendorf_at_epost.de> wrote:
>

>>Port redirection takes place not at all, it depends on the platform. On
>>Unix it takes place only for shared server (MTS) or access per SSL. If the
>>server runs on a Unix platform and no MTS, no SSL, then there are no port
>>redirection and the firewall have to pass only the configured destination
>>port

>
> Not true. Port redirection always takes place, independent of
> platform, whether using MTS or not using MTS. In setting up MTS
> however you can hardwire a port.

It is definiteley true, there are no port redirection if the oracle server runs on *Unix*, unless MTS,SSL. I mean with port redirection that the destination port number of the oracle server process after a successful client connection is the same as the port number of the oracle listener. I know that a lot of people believe on the myth of port redirection on Unix. Eventually one can read this myth in some docs, and if the oracle sqlnet trace shows the word "redirected", this must not be right or has another meaning.
On Unix there are no needs of port redirection because of the fork call. And oracle uses this mechanism on every Unix, I would say, definitely on Linux and Solaris. If oracle runs on an Linux server try the following on this machine:
strace -ff -o <tracefile> -p <pid of the listener> make a sqlnet-connetion from an oracle client from another machine. Now you can interrupt the strace.
Now one can see 3 tracefiles!
The 1. tracefile shows a fork. The 2. tracefile is very short, it seams do do only some checks and do another fork and the parent exits gracefully. The 3. tracefile calls via *execve* $ORACLE_HOME/bin/oracle with the name of oracle<SID>. And this is the oracle server process with which the client is connected. This is a typical behavior how one implement a TCP/IP server on unix. If one looks more precise into the trace files one can identify the same filepointer number in the 3. tracefile for read/write as the one from the established TCP/IP connection. And there is no close before the fork call.
But why so complicated, the result is very easy to see on the server machine with the folling cammands
netstat -np --inet
lsof -I@<tcp/ipadress>:<port>

And one can rely on this output!!!

> The alternative is making sure use_shared_sockets=true (applies to
> both NT and Unix) *HOWEVER* doing so, if you shutdown the listener you
> will also break all current connections.

On Unix there are no use_shared_socket parameter. On NT/Win2000 this should be a registry entry, I've read. On Unix there are no comparable, and no necessity.
Ok, well to know that using use_shared_socket on NT/Win has the behavior of break ..., but I've no experience on Win.

Eberhard Received on Mon Sep 20 2004 - 05:09:57 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US