Oracle and firewall settings

Oracle and firewall settings

To access the windows oracle database after the firewall, simply open the fixed TCP port.

The root cause of this problem is the BT design of the windows oracle Database (this problem is not found in unix/linux ).

I. Oracle network communication port principle

The network access of the oracle database adopts a very BT working mode. The process is as follows:

1) The oracle net listener process on the oracle server keeps listening to a fixed TCP port (default: 1521 );

2) The client initiates a connection request to the net listener port on the server;

3) After listenr receives a request from the client, it establishes a connection with the client and notifies the server to create a new database connection service process (hereinafter referred to as P ).Random selectionBind an unused TCP port and notify listener of the port number;

4) listenr forwards the port number bound to P to the client;

5) After receiving the port number of P, the client terminates the connection with listener and then directly connects to P through the port bound to P;

In step 2, the connection is complete, and then the client can access the database.

As shown in the preceding workflow, In this mode,The oracle server port actually connected by the client is random..

Therefore, it is impossible to set a fixed TCP port on the firewall to make the oracle server accessible.

It is said that oracle had to do so, because of the early windows nt TCP/IP part of the bug, the direct use of public port connection problems, so oracle came up with such a brilliant design.

However, since NT4SP3, isn't this bug solved? Why is this BT Mode still used for oracle 11 GB? Of course, the network security problem is so serious now. If the firewall cannot be used, wouldn't oracle databases of windows be sold out?

Oracle won't be so idiotic of course. Since oracle 8i, oracle for windows can also use the normal working mode, but the BT working mode is still used by default.

This problem occurs only when 9i and earlier Oracle versions are used on Windows. On Linux and Unix platforms, multiple processes can reuse ports. Oracle Server Process still uses a port (1521) with the listening Process, and the client only connects once, there is no second connection, and it has changed compared with the process described above.

On Windows, 10 Gbit/s and later versions of databases also use port multiplexing to avoid such problems. In fact, 10 Gb is the default USE_SHARED_SOCKET is TRUE.

2. Set program exceptions in the firewall

In the BT Mode of Oracle, you can set Oracle program exceptions in the firewall to cross the firewall.

 

3. Set the port exception in the firewall to add a string key value in the windows registry (HOMEDIR is the instance name of the oracle database installed on your machine), named USE_SHARED_SOCKET, if the value is TRUE (case sensitive), restart oracle instance or directly restart windows.
In this way, you only need to open the oracle listening port on the firewall (1521 by default), and then you can access oracle outside the firewall!
In the MTS mode (shared mode), Oracle uses the dedicated mode by default.

The test showed that if the parameter is not set in the init file, Oracle still requires a random port to communicate with port 1521, but this random port, it does not change with the client session and login, but is fixed when the server is not restarted. (The test found that in dedicated mode, each connection, the oracle server will provide a non-1521 port in the + 1 mode .) Therefore, you must add the following parameter at the end of the init. ora file:
Mts_dispatchers = "(address = (protocol = tcp) (host = myoradb) (port = 1521) (dispatchers = 1 )"