Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Firewalling Oracle

Re: Firewalling Oracle

From: <jo_holvoet_at_amis.com>
Date: 2006-01-12 09:15:11
Message-id: OF96609EEB.2426FAA4-ONC12570F4.002C9ADD-C12570F4.002D57EE@amis.com 






Jared,



we had to implement this for our auditors on our SAP production instance
(because we couldn't turn remote_os_authent off). We are using invited
nodes, BTW.


A couple of caveats spring to mind :



    
  
  1.   The first time we implemented it was on 8.1.7. The listener takes the
list of nodes and looks up the IP. If any of the nodes were not resolvable,
it basically let EVERY node connect again. Not exactly what you would
expect.

  
  2.   We're now on 9.2.0.6 and the behaviour is now the opposite : if any of
the node names are not resolvable, NOBODY connects. Better that 1), but
also not really what you would want. We had a serious issue with this with
a couple of laptops belonging to DBAs which would "disappear" from DNS a
couple of hours after logging out (something to do with DHCP IIRC; we now
have IP address reservations for those machines). A listener restart at
that point meant that all kinds of other production machines interfacing
with SAP no longer could connect.






Anyway, since this seems to change quite a bit between versions, you may
want to do a teeny bit of testing :)



mvg/regards



Jo





                                                                                           \ 
                                              
                      Jared Still                                                          \ 
                                              
                                                cc:                                        \ 
                                             
                      Sent by:                   Subject: Firewalling Oracle               \ 
                                              
                      oracle-l-bounce_at_fr                                              \ 
                                                   
                      eelists.org                                                          \ 
                                              
                                                                                           \ 
                                              
                                                                                           \ 
                                              
                      01/11/2006 20:09                                                     \ 
                                              
                      Please respond to                                                    \ 
                                              
                      jkstill                                                              \ 
                                              
                                                                                           \ 
                                              









Hello,



I'm curious how many folks have used the the TCP.VALIDNODE_CHECKING,
TCP.EXCLUDED_NODES and/or TCP.INVITED_NODES parameters to restrict
database access.



What problems did you run into with it?



Was it worth the trouble in your opinion?



Thanks,



Jared Still


Certifiable Oracle DBA and Part Time Perl Evangelist


--
http://www.freelists.org/webpage/oracle-l


Received on Thu Jan 12 2006 - 09:15:11 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US