Re: Firewalls and Oracle

From: Nuno Souto <nsouto_at_nsw.bigpond.net.au>
Date: Thu, 24 Jun 1999 14:26:56 +1000
Message-ID: <7kscl5$89v$2_at_m2.c2.telstra-mm.net.au>


The port should be the same, Scott.
Unless you have a problem with the settings in the listener,ora and tnsnames.ora files.

What changes is the IP address of the second connection, not the port. Get a sniffer
and you'll verify this. The IP address of the "inside" of the firewall is used for the second
and subsequent connections, whereas the "outside" IP address is used for the initial
connection. The result is a firewall that rejects the subsequent transmissions using
the "inside" IP address coming from the outside world. The visible symptom is a hung
connection and eventually a timeout error.

I'm told there is a new keyword with 8i that avoids this changing of the IP address
by the listener. Never tried it but I can see it will solve the problem. Until then,
you have a problem. Check out your local ORACLE support, they may have a patch solution. I never heard of one here in Australia, but it's worth a try.

--
Cheers
Nuno Souto
nsouto_at_nsw.bigpond.net.au.nospam
Is there a nospam domain?
http://www.users.bigpond.net.au/the_Den
Scott Dunbar <dunbar_at_commerce.com> wrote in message
news:377140D9.34204712_at_commerce.com...

> Hi,
> We are attempting to connect from an Oracle client to an Oracle
> server (all in the 8.1.x series) through a firewall. With a little
> experimentation it appears that the Oracle client does an initial
> connect() to the TNS listener but then an additional connection is made
> using an O/S assigned port. The problem is this second connection.
> Because it is O/S assigned it cannot be configured into the firewall.
> For a variety of reasons we have issues with using a "Net-8" compatible
> firewall (Oracle's solution).
>
> Is the number of this "return" port configurable? I'm guessing not
> as that could have the side affect of limiting (to one!) the number of
> clients that can be run on a particular box. Alternatively, is there a
> way to convince Oracle to use only one connection? As a side note,
> doesn't this scheme eat up file descriptors twice as fast as using the
> single connection? On most O/S's this isn't a big deal anymore but I
> guess SunOS 4.x (without DBE) scared me into being conservative with
> fd's.
>
> Thanks in advance for any information.
>
> --
> Scott Dunbar Global Commerce Systems
> dunbar_at_commerce.com Boulder, CO, USA
> HTML mail ok
>
>
Received on Thu Jun 24 1999 - 06:26:56 CEST

Original text of this message