I opened my big mouth in a meeting yesterday, and now I've got to figure
out how to build a firewall that will allow access to SQLnet services and
----Corporate LAN (Windows, etc)---
The trick is, it's an internal firewall: we don't want PCs on the corporate
net sniffing our TCP/IP based network. BUT we want PCs on the corporate
net to be able to access Oracle-based services running on the TCP/IP net,
and run X servers for clients on the TCP/IP net. Performance of the X
services is important.
Neither net needs connection to the Internet.
The TCP/IP based boxes are all using static host tables, not DNS, so DNS
spoofing is not an issue.
One possibility that occurred to me was to simply put a second Ethernet port
on one of the TCP/IP application servers, with routing turned off. I'm not
sure whether OSF/1 will let me tell inetd not to listen to one port, though.
Another possibility is to stick a PC UNIX box running Oracle as a proxy in
the middle, and x-gw. I'm worried about the performance issues in this case.
Finally, a router that only opened up Oracle, X, and telnet access to the
specific application servers.