| Limiting access by IP address [message #163197] |
Wed, 15 March 2006 08:18  |
gatsby
Messages: 22
Registered: March 2006
|
Junior Member |
|
|
I need some advice on how to limit access to Oracle my 9i database by IP address.
There are a relatively small number of users who need to access this database. Using the tcp.invited_nodes parameter in sqlnet.ora works excellent for those with static IP addresses, except for those users who use DHCP. We need to allow those users with DCHP access.
Is the tcp.invited_nodes parameter the best way to handle this? If so, how would you suggest handling those users with DHCP? Will I have to use CMAN in this situation?
Thanks in advance.
|
|
|
|
|
|
| Re: Limiting access by IP address [message #167927 is a reply to message #163197] |
Mon, 17 April 2006 23:13  |
markmal
Messages: 113
Registered: April 2006
Location: Toronto, Canada
|
Senior Member |
|
|
you can do opposite
tcp.validnode_checking = YES
tcp.excluded_nodes = {list of IP addresses}
also you can look into CMan, using /nn notation for your DHCP range/subnet addresses.
(RULE=(SRC=206.62.226.32/27)(DST=sales-server)(SRV=*)(ACT=accept)
or simply use some other firewall.
|
|
|
|
|
|
|
|
|
|
| Re: Limiting access by IP address [message #185941 is a reply to message #163197] |
Fri, 04 August 2006 07:21 |
gatsby
Messages: 22
Registered: March 2006
|
Junior Member |
|
|
For the record...
The main problem with the valid node checking is that it is unable to work properly with DHCP. Since the very idea of DHCP is to assign IP addresses dynamically (ie. the IP changes from time to time), it becomes difficult if not impossible to know what a specific computer's IP address is over the course of many months. At least, you can't be sure enough about the IP that you can configure a filter around it.
Using other software, filters like this are usually accomplished with wildcards. See an example below:
If I were to enter the following:
tcp.validnode_checking = YES
tcp.excluded_nodes = 192.2.0.*
This example would allow all IP addresses from the fictional 192.2. address range to connect to the Oracle database. However, when I tried this on my filter, it allowed *all* IP traffic in, regardless of source IP address. Unless I'm overlooking something, in a situation with DHCP, you will have to use CMAN, a third-party firewall, or some other traffic controller.
[Updated on: Fri, 04 August 2006 07:27] Report message to a moderator |
|
|
|
| Re: Limiting access by IP address [message #194953 is a reply to message #185941] |
Tue, 26 September 2006 05:23 |
SilverChi
Messages: 17
Registered: September 2006
|
Junior Member |
|
|
Hi there..
I'm new in oracle, and for now i'm still using Ora9i. I need to filterize which terminals (by IP address) are available to acces my database. I've read some reference about Oracle Connection Manager, but i still don't know is it installed or not in my machine, and how to start use it (if it is installed). Is there any clue..??
Regards..
|
|
|
|
|
|
|
|
|
|
| Re: Limiting access by IP address [message #195148 is a reply to message #194982] |
Wed, 27 September 2006 03:52 |
SilverChi
Messages: 17
Registered: September 2006
|
Junior Member |
|
|
I've install the CMAN on my oracle machine. Then I create a cman.ora file with this configuration :
CMAN=
(ADDRESS=(PROTOCOL=tcp)(HOST=mysvr05)(PORT=1630))
CMAN_ADMIN=
(ADDRESS=(PROTOCOL=tcp)(HOST=mysvr05)(PORT=1830))
CMAN_RULES=
(RULE_LIST=
(RULE=
(SRC=mysvr05)
(DST=mysvr05)
(SRV=testdb)
(ACT=accept))
(RULE=
(SRC=10.5.1.76)
(DST=mysvr05)
(SRV=testdb)
(ACT=accept)))
CMAN_PROFILE=
(PARAMETER_LIST=
(LOG_LEVEL=2)
(REMOTE_ADMIN=YES)
(TRACING=on))
But, it won't work as i've assumed. Any terminal within my department still available to access my database. Is it something i've done wrong..??
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
