Re: Firewalls and Oracle

From: Joel Garry <jgarry_at_my-deja.com>
Date: Wed, 21 Jul 1999 16:18:37 GMT
Message-ID: <7n4rsf$g9$1_at_nnrp1.deja.com>

In article <7kscl5$89v$2_at_m2.c2.telstra-mm.net.au>, "Nuno Souto" <nsouto_at_nsw.bigpond.net.au> wrote:

Oracle works with firewall vendors to have a proxy server addition to the firewall to track the ip address within the packet. Of course, Oracle doesn't work with every vendor. One workaround is to use multithreaded server and set use_dedicated_server in the sqlnet.ora of the client. This seems to work to unix servers, anyways, don't know about 8I.

> The port should be the same, Scott.
> Unless you have a problem with the settings in the listener,ora and
tnsnames.ora
> files.
>
> What changes is the IP address of the second connection, not the port.
Get a
> sniffer
> and you'll verify this. The IP address of the "inside" of the
firewall is used
> for the second
> and subsequent connections, whereas the "outside" IP address is used
for the
> initial
> connection. The result is a firewall that rejects the subsequent
transmissions
> using
> the "inside" IP address coming from the outside world. The visible
symptom is a
> hung
> connection and eventually a timeout error.
>
> I'm told there is a new keyword with 8i that avoids this changing of
the IP
> address
> by the listener. Never tried it but I can see it will solve the
problem. Until
> then,
> you have a problem. Check out your local ORACLE support, they may
have a patch
> solution. I never heard of one here in Australia, but it's worth a
try.
>
> --
> Cheers
> Nuno Souto
> nsouto_at_nsw.bigpond.net.au.nospam
> Is there a nospam domain?
> http://www.users.bigpond.net.au/the_Den
> Scott Dunbar <dunbar_at_commerce.com> wrote in message
> news:377140D9.34204712_at_commerce.com...
> > Hi,
> > We are attempting to connect from an Oracle client to an Oracle
> > server (all in the 8.1.x series) through a firewall. With a little
> > experimentation it appears that the Oracle client does an initial
> > connect() to the TNS listener but then an additional connection is
made
> > using an O/S assigned port. The problem is this second connection.
> > Because it is O/S assigned it cannot be configured into the
firewall.
> > For a variety of reasons we have issues with using a "Net-8"
compatible
> > firewall (Oracle's solution).
> >
> > Is the number of this "return" port configurable? I'm guessing
not
> > as that could have the side affect of limiting (to one!) the number
of
> > clients that can be run on a particular box. Alternatively, is
there a
> > way to convince Oracle to use only one connection? As a side note,
> > doesn't this scheme eat up file descriptors twice as fast as using
the
> > single connection? On most O/S's this isn't a big deal anymore but
I
> > guess SunOS 4.x (without DBE) scared me into being conservative with
> > fd's.
> >
> > Thanks in advance for any information.
> >
> > --
> > Scott Dunbar Global Commerce Systems
> > dunbar_at_commerce.com Boulder, CO, USA
> > HTML mail ok
> >
> >
>
>

--
These opinions mine
mailto:joel-garry_at_nospam.home.com
Remove nospam to mail
http://ourworld.compuserve.com/homepages/joel_garry


Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.

Received on Wed Jul 21 1999 - 18:18:37 CEST

This message: [ Message body ]
Next message: pat: "oracle on mac"
Previous message: mcdonald_at_bellhow.com: "Trapping Enter-Query"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message