Tom Cooper wrote:
>
> Has anyone successfully configured a proxy for outbound/inbound SQL*Net
> transactions?
>
> In my observations, Unix to Unix server communications take place on a
> designated port, but PC to Unix communications switch port numbers after
> about 20-25 packets.
>
> The PC always sends to the designated port, but the Unix server changes
> to a different port. This makes filtering difficult.
>
> Thanks
I'm also interested to know whether it is possible to allow SQL*Net
traffic through a normal packet filtering router.
I've ask Oracle and the reply was quite disappointing, it seems to
me that it is not possible to allow SQL*Net through a FW or a
packet filtering router reasonably safe. Part of the reply is
as follows -
*******************************************************************
Unfortunately, currently, the only way to have sqlnet v1 and v2 tcp
work thru firewall is to turn off that firewall's port security.
This has the unfortunate result of negating the reason for the
firewall.
Although sqlnet v1 and v2 tcp listen on a particular tcp port,
like 1521 or 1525, a remote client ends up connecting to a client
shadow process on the server via a different tcp port, which
is not currently definable. So if you allow tcp port 1521
connections, you're remote clients can connect to the listener
thru the firewall, but won't be able to connect to the
client shadow process, which will be on say port 1688.
*******************************************************************
So, do any one have any idea how to handle this situation ?
And can the CheckPoint Firewall-1's Multi-Layer Stateful
Inspection helpful in this situation ?
Vinci.
vkmchou @
hk .
super .
net
Follow-Ups:
References:
|
|
