Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle and SqlNet behind a firewall

Re: Oracle and SqlNet behind a firewall

From: Michael S. Siebert <michael_siebert_at_pipeline.com>
Date: Fri, 21 Jul 2000 09:33:56 -0400
Message-Id: <10565.112634@fatcity.com> 





I had the same issue when trying to go through an Axent application proxy
firewall.  I got around it by adding a registry setting.  See note 66382.1 on
MetaLink, or do a search on USE_SHARED_SOCKET.  I've included an excerpt from
the note that should help.




Regards,



Michael Siebert


Solutions Consulting, LLC


www.scglobal.com



<SNIP>


(ii) The second way to resolve this issue is to upgrade the server to 8.0.x

       and use the USE_SHARED_SOCKET parameter in the registry. With this
       method, it doesn't matter what kind of firewall you have. The syntax
       for this parameter is:

           USE_SHARED_SOCKET = TRUE

       Place the parameter in the registry under HKEY_LOCAL_MACHINE:Software:
       Oracle

       Restart Oracle and the listener for the parameter to take effect.

       Here's how USE_SHARED_SOCKET works. The listener binds and creates a
       socket on the address specified in the "listener.ora" file.  On this
       socket, there is a LISTEN state active that is used by the listener.
       When a new connection comes in to the listener, the listener spawns an
       Oracle thread on the listening port (i.e. 1521). This happens over and
       over again so that you have a listener and several established
       connections using port 1521. Pictorially this scenario would look like
       this:

                      +---<O>--------<O>----<O>---<O>--+


                      |                                |

                      |     This square represents     <O>

                      |     a listening socket for     |

                      |     port 1521.                 |

                      <O>                              |


                      |     <O> = oracle thread        <O>

                      |     <L> = listener             |

                      |                                |

                      +-<O>-------<L>--<O>------<O>----+

       The operating system then does a poll() or a select() on the socket to
       test for any data. If any of the threads have data, a signal handler is
       used to contact the application and inform it of the new data.

       The disadvantage of USE_SHARED_SOCKET is that if the listener shuts down,

       all connections are dissolved.




</SNIP>



"VanderMey, Bob" wrote:


> Dan,
>
> Our security guys complained about the same thing.  When I looked into it, I
> couldn't figure out how to limit the outbound ports.  The problem is that
> the listener uses port 1521 (or another of your choice) but then hands off
> to the database.  The database then picks a port to use when talking to the
> client.  The best I could come up with at the time, wasz to have the
> security guys see which ports were being used (they all stay within a
> certain range) and then open up a range of ports somewhat lower and higher
> than those being used.
>
> If you do figure this out, please let me know what you did.
>
> Bob VanderMey
> Oracle DBA
> OrderZone.com, Inc.
> 847 573-2687
> bvandermey_at_orderzone.com
> 565 Lakeview Parkway, Suite 250
> Vernon Hills, IL 60061
> http://www.orderzone.com
>
> -----Original Message-----
> Sent: Thursday, July 20, 2000 4:08 PM
> To: Multiple recipients of list ORACLE-L
>
> Just put our first NT server with Oracle 8.0.5 and Net8 behind a firewall.
>
> The security guys are complaining because all the inbound traffic goes in
> through port #1521, but the outbound traffic is using multiple and random
> ports.
> They don't like this.
>
> Anybody know anything about this?
>
> --
> Author:
>   INET: Dan.Hubler_at_midata.com
>
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may
> also send the HELP command for other information (like subscribing).
>
> --
> Author: VanderMey, Bob
>   INET: BVanderMey_at_OrderZone.com
>
> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
> San Diego, California        -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from).  You may


Received on Fri Jul 21 2000 - 08:33:56 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US