Re: Oracle and Firewall
If you specify USE_SHARED_SOCKET in registry for your Oracle home and restart the listener, the 1521 port can be shared between both listener and database connections (in case of dedicated server). That way you won't have port problems with firewall. Tanel. - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Friday, November 21, 2003 6:49 PM Seema, This is a typical misconception on the workings of Net8. Port 1521 is only used to contact the listener, after that the listener might: a) create a server process which listens on a port other than 1521 OR b) pass the connection to a prespawned server process, again on a different port. The new port could be 1034, for example. The client process is then notified that the server process is listening on port 1034 and the client process then starts communicating through the new port. Therefore what you see is normal. In fact it is the biggest proble in building a firewall around the database server; it just have to have too many ports (and mostly unpredictable) open. Here are a few options: (1) use firewall around the subnet where both app/web server and db server exist; not a firewall between them. (2) Use TCP Node checking to restrict Net8 traffic to the db server only from the app server. (3) Use Connection Manager. USing CM, known ports are used for communication, typically 1630 and 1631 (or is it 1634?) and only those can be opened up for connection. (4) Use Shared Servers. The connectiosn pass through the dispatchers. Since the ports used by them can be known, those ports can be opened up. (5) Use SSH redirection. (6) Use a commercial firewall product that can perform proxy-redirection, which preserves the port number in all established connections, even though actual ports used may be different. If anyone has any more options, I would love to know. HTH. Arup - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:59 AM Hi, We are using Oracle817 on Windows with netscreen firewall.I have been noticing after some times applications start connecting form 1521 to 1034 and so.IS this normal ?I want port 1521 Only in use. How to fix this problem? thx -Seema _ Gift-shop online from the comfort of home at MSN Shopping! No crowds, free parking. http://shopping.msn.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Seema Singh INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Tanel Poder INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Oracle and Firewall
Hi, We are using Oracle817 on Windows with netscreen firewall.I have been noticing after some times applications start connecting form 1521 to 1034 and so.IS this normal ?I want port 1521 Only in use. How to fix this problem? thx -Seema _ Gift-shop online from the comfort of home at MSN Shopping! No crowds, free parking. http://shopping.msn.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Seema Singh INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Oracle and Firewall
Hi Seema, Take a look on this document #131524.1 on Metalink. You will have to add an entry in the registry to force the connection to only use the port 1521 USE_SHARED_SOCKET=TRUE Luc -Original Message- Sent: November 21, 2003 11:21 AM To: Multiple recipients of list ORACLE-L Hi, We are using Oracle817 on Windows with netscreen firewall.I have been noticing after some times applications start connecting form 1521 to 1034 and so.IS this normal ?I want port 1521 Only in use. How to fix this problem? thx -Seema _ Gift-shop online from the comfort of home at MSN Shopping! No crowds, free parking. http://shopping.msn.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Seema Singh INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). application/ms-tnef
Re: Oracle and Firewall
Seema, This is a typical misconception on the workings of Net8. Port 1521 is only used to contact the listener, after that the listener might: a) create a server process which listens on a port other than 1521 OR b) pass the connection to a prespawned server process, again on a different port. The new port could be 1034, for example. The client process is then notified that the server process is listening on port 1034 and the client process then starts communicating through the new port. Therefore what you see is normal. In fact it is the biggest proble in building a firewall around the database server; it just have to have too many ports (and mostly unpredictable) open. Here are a few options: (1) use firewall around the subnet where both app/web server and db server exist; not a firewall between them. (2) Use TCP Node checking to restrict Net8 traffic to the db server only from the app server. (3) Use Connection Manager. USing CM, known ports are used for communication, typically 1630 and 1631 (or is it 1634?) and only those can be opened up for connection. (4) Use Shared Servers. The connectiosn pass through the dispatchers. Since the ports used by them can be known, those ports can be opened up. (5) Use SSH redirection. (6) Use a commercial firewall product that can perform proxy-redirection, which preserves the port number in all established connections, even though actual ports used may be different. If anyone has any more options, I would love to know. HTH. Arup - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Friday, November 21, 2003 10:59 AM Hi, We are using Oracle817 on Windows with netscreen firewall.I have been noticing after some times applications start connecting form 1521 to 1034 and so.IS this normal ?I want port 1521 Only in use. How to fix this problem? thx -Seema _ Gift-shop online from the comfort of home at MSN Shopping! No crowds, free parking. http://shopping.msn.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Seema Singh INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Arup Nanda INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Oracle and Firewall
Arup Nanda scribbled on the wall in glitter crayon: (1) use firewall around the subnet where both app/web server and db server exist; not a firewall between them. (2) Use TCP Node checking to restrict Net8 traffic to the db server only from the app server. (3) Use Connection Manager. USing CM, known ports are used for communication, typically 1630 and 1631 (or is it 1634?) and only those can be opened up for connection. (4) Use Shared Servers. The connectiosn pass through the dispatchers. Since the ports used by them can be known, those ports can be opened up. (5) Use SSH redirection. (6) Use a commercial firewall product that can perform proxy-redirection, which preserves the port number in all established connections, even though actual ports used may be different. If anyone has any more options, I would love to know. Oracle has worked wit a number of firewall venders to allow their firewalls to detect NET8 traffic. that way it can be set up to pass traffic between two nodes with a simple rule. and i'm sorry but i'm out of the network set up side so i don't know the current list of firewall venders this works with, but it would pay to check with yours and see if this is available. you sometimes need to either add a plug in or update the firewall itself. -- Bill Shrek Thater ORACLE DBA I'm going to work my ticket if I can... -- Gilwell song [EMAIL PROTECTED] Maniac: An early computer built by nuts... -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Thater, William INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).