ORIGINAL QUESTION:
Configuration:
Oracle version 7x
Solaris 2.6
E5500
We are running Oracle 7x which does not allow you to screen IP addresses
accessing the database thru SQLnet. Oracle 8 does have Network Access
Control but we can't go to Oracle 8 for a while.
So at the OS level I need a utility which would allow me to screen IPs
coming in thru SQLnet which listens on any given port numbers. For
instance, if SQLnet is listening on port 1600 for connections, is there a
way to intercept connection requests at the Unix level to this port and
grant/deny access based on the source IP address?
SOLUTIONS:
1) Use TCP/Wrappers (ftp://coast.cs.purdue.edu/pub/tools/unix/tcp_wrappers)
Note the response from Scott Adkins;
It is never difficult to manage an application that has all kinds of
socket
connections ranging from the pretty predictable always-the-same ports, to
the let-choose-a-really-random port. Both TCP Wrappers and XInetD aren't
effective in this situation, which is due to the way Oracle keeps control
over how things are fired up.
I think the best suggestion I can give you is to try something out like
IP Filter or some other firewalling type package. I am not familar with
Sun's SCREEN product, but it might do similar things as well. I prefer
IP Filter, since it is free, heavily supported, and extremely powerful.
You simply build a set of rules to filter out your network traffice and
submit the filter to the kernel to be used. Anything you don't want can
be blocked, and all traffic, blocked or passed through, can be logged if
you so desired. In the above case, you can block all connections on port
1600 and then allow only certain IP addresses to come in on it (DENY then
ALLOW situation).
2) Use IP/Filter (http://coombs.anu.edu.au/~avalon)
I think this is the best choice without having to modify much or
cross-version
Oracle software (see #3 below).
3) Use Oracle 8 listener
From John D Groenveld;
Install the Net8 listener on your server, reportedly it will connect fine
to V7 instances.
RESPONDENTS:
Boyko, Steve <SBoyko@nbpower.com>
Michael Sullivan <mps@discomsys.com>
kevin@joltin.com (Kevin Sheehan
Daniel Muiņo <dmuino@afip.gov.ar>
Gerard Hynes <ghynes@colltech.com>
sadkins@voyager2.cns.ohiou.edu (Scott Adkins)
Bismark Espinoza <bismark@alta.Jpl.Nasa.Gov>
Paul.Teasdel@dresdnerkb.com
Jon Bernard <jbber@src.uchicago.edu>
Steven Levin <Steven.Levin@firstlook.com>
Colin_Melville@mastercard.com
John D Groenveld <jdg117@elvis.arl.psu.edu>
Otto, Doug <otto@alldata.com>
Nickolai Zeldovich <kolya@zepa.net>
Joe Doetzl <doetzl@iname.com>
Jarrett Carver <solarboyz1@hotmail.com>
simon.millard@barclays.co.uk
Thank you all!
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rick von Richter Systems/Network Supervisor Voice: 858-552-6222 rickv@mwh.com Maintenance Warehouse/Home Depot Fax: 858-552-6213 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The box says: Windows 98,Windows NT or BETTER. That's why I installed Linux. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:04 CDT