HPE Community
Operating System - HP-UX
1820496 Members
4444 Online
109625 Solutions
New Discussion юеВ

Blocking access to Oracle ports 1521/1526

 
SOLVED
Go to solution
Tom Dawson
Regular Advisor

тАО06-06-2002 11:43 AM

тАО06-06-2002 11:43 AM

Blocking access to Oracle ports 1521/1526

Hi,

I'm trying to block access to our Oracle database from users on a certain subnet. The suggestion I got from HP Support was to make entries in hosts.allow/hosts.deny. I was under the impression that those files were part of the tcp_wrapper product. Is my assumption correct?

Also, since the Oracle listener is not an inetd controlled program, would tcp_wrapper do me any good?

Making entries in /var/adm/inetd.sec doesn't do any good because, again, the Oracle listener is not an inetd controlled program.

I'm trying to make some simple change at the network layer so we can still allow access to the Oracle db from other subnets.

Any ideas?

Thanks,
Tom
0 Kudos
Reply
7 REPLIES 7
Craig Rants
Honored Contributor

тАО06-06-2002 11:51 AM

тАО06-06-2002 11:51 AM

Solution

Re: Blocking access to Oracle ports 1521/1526

You are right wrappers and inetd will not work unless oracle was comipled with libwrap.a which I doubt.

I would recommend installing IPF/9000. It is product B9901AA on App CD 1.

The entry to block access to those ports in the ipf.conf file would be

block in quick proto tcp from any to IP/32 port = 1521

same with port 1526,

I have mine setup into groups which helps in filtering... but I digress

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
Reply
Christopher Caldwell
Honored Contributor

тАО06-06-2002 11:54 AM

тАО06-06-2002 11:54 AM

Re: Blocking access to Oracle ports 1521/1526

Use IPFilter (available from software.hp.com) or block at the network device (i.e. if you're network is isolated by a router, add an access control list to the router).
Reply
Tom Dawson
Regular Advisor

тАО06-07-2002 05:17 AM

тАО06-07-2002 05:17 AM

Re: Blocking access to Oracle ports 1521/1526

Craig, Cristopher,

Thanks! It looks like that's just what I need. The only problem is, it appears that IPFilter is only available for 11.x. I'm migrating from 10.20 to 11.11 this weekend and I had hoped to be able to easily restrict access to the db on 10.20 while we did maintenance from our workstations preparing for the migration.

But it's not that big a problem. As Cristopher suggested, I'll have our WAN administrator do some blocking at the router and we ought to be fairly safe. And next week I'll be installing IPF/9000 on the 11.11 server.

Thanks again,
Tom
0 Kudos
Reply
Craig Rants
Honored Contributor

тАО06-07-2002 05:20 AM

тАО06-07-2002 05:20 AM

Re: Blocking access to Oracle ports 1521/1526

Depending on what type of 11i you have, IPF will be installed. The 11i Enterprise OE and above has the 11i installed on it with other things like MirrorDisk and OnlineJFS.

Happy Migrating...

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

тАО06-07-2002 06:14 AM

тАО06-07-2002 06:14 AM

Re: Blocking access to Oracle ports 1521/1526

 
Im from Palmerston North, New Zealand, but somehow ended up in London...
Reply
Aashish Raj
Valued Contributor

тАО06-07-2002 06:17 AM

тАО06-07-2002 06:17 AM

Re: Blocking access to Oracle ports 1521/1526

Alternately you can do the same by configuring Connection manager which comes with oracle although their is some configuration level overhead involved with it.

AR
Reply
Tom Dawson
Regular Advisor

тАО06-07-2002 10:31 AM

тАО06-07-2002 10:31 AM

Re: Blocking access to Oracle ports 1521/1526

Stefan,

Thanks! It worked like a champ. I found a detailed document on using protocol.ora at metalink.oracle.com and just created a protocol.ora file with these entries:

tcp.validnode_checking = yes
tcp.invited_nodes = ( myhost )

Aashish,

Thanks. But since Stefan's simple method worked, I'll forgo implementing Connection Manager.

Tom
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.