Re: Firewalling Oracle
- From: jo_holvoet@xxxxxxxx
- To: jkstill@xxxxxxxxx
- Date: Thu, 12 Jan 2006 09:15:11 +0100
Jared,
we had to implement this for our auditors on our SAP production instance
(because we couldn't turn remote_os_authent off). We are using invited
nodes, BTW.
A couple of caveats spring to mind :
1) The first time we implemented it was on 8.1.7. The listener takes the
list of nodes and looks up the IP. If any of the nodes were not resolvable,
it basically let EVERY node connect again. Not exactly what you would
expect.
2) We're now on 9.2.0.6 and the behaviour is now the opposite : if any of
the node names are not resolvable, NOBODY connects. Better that 1), but
also not really what you would want. We had a serious issue with this with
a couple of laptops belonging to DBAs which would "disappear" from DNS a
couple of hours after logging out (something to do with DHCP IIRC; we now
have IP address reservations for those machines). A listener restart at
that point meant that all kinds of other production machines interfacing
with SAP no longer could connect.
Anyway, since this seems to change quite a bit between versions, you may
want to do a teeny bit of testing :)
mvg/regards
Jo
Jared Still
<jkstill@xxxxxxxxx To: Oracle-L Freelists
<oracle-l@xxxxxxxxxxxxx>
> cc:
Sent by: Subject: Firewalling Oracle
oracle-l-bounce@fr
eelists.org
01/11/2006 20:09
Please respond to
jkstill
Hello,
I'm curious how many folks have used the the TCP.VALIDNODE_CHECKING,
TCP.EXCLUDED_NODES and/or TCP.INVITED_NODES parameters to restrict
database access.
What problems did you run into with it?
Was it worth the trouble in your opinion?
Thanks,
Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist
--
//www.freelists.org/webpage/oracle-l
Other related posts:
