open port numbers behind the firewall

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Before adding the firewall, the applications are up and running. My
understanding is that the firewall is in front of websphere server and
database server. Now, the websphere server cannot connect to database
server on port 1521, that means port 1521 needs to be open on database
server side? Do we need to open the same port 1521 on websphere server
too? I cannot ping, cannot telnet from websphere to database.


please advice. thanks a lot!!

Re: open port numbers behind the firewall
Quoted text here. Click to load it

The port probably is open on the database server, but you'll also need
to configure the firewall to allow traffic to that port on the database
server.

Quoted text here. Click to load it

Unlikely.


So?

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: open port numbers behind the firewall

Quoted text here. Click to load it

We need to open the port that the database server listens from the
websphere server's request. But what port the websphere listens on the
response from the database server?

I think the similar analogy is like the web browser. When we go to
http://www.google.com , the google server listens on port 80 for the
requests from the web browser. how about the data send back from the
web server to the web browser, what port web browser listens?

Quoted text here. Click to load it


Re: open port numbers behind the firewall
Hi,

Quoted text here. Click to load it

Depending on the OS anything from either 1-65365 or 1024-65365.
The originating port ist not important, the firewall can track the
connection.

You should ask someone, who is proficient with security to help you
design and setup the network and security measures.

Cheers,
    Jens


Re: open port numbers behind the firewall
Quoted text here. Click to load it

That's irrelevant. The response from the database server will take the
same route as the request, only in the opposite direction. If the
firewall is stateful (which it should be), you don't need to do anything
other than allow requests to the database server's port.

Quoted text here. Click to load it

Web browsers don't listen on any port. It's the same as described above.
The response goes back through the already established connection.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: open port numbers behind the firewall
Quoted text here. Click to load it


Talk to your sysadmin folks and explain what you need to achieve.

Chris

Re: open port numbers behind the firewall
In article <e0bd66a3-b964-48f8-9738-
12e81ab10baa@w39g2000prb.googlegroups.com>, javacc2@gmail.com says...
Quoted text here. Click to load it

If the firewall is in front of BOTH the Web/DB server, but the Web and
DB server are in different networks (and they should be), then you need
to map a rule between the web servers firewall network and the database
servers network for the port that it communicates on.

Firewall PUBLIC Port (some public IP)
Firewall WEB Sv Port (192.168.8.10/24) just making up a network
Firewall DB Sv Port  (192.168.9.10/24) just making up a network

By default here is no access between 192.168.8 and 192.168.9 networks,
you have to make a rule between them

Your rule should be as specific as possible, something like this:

Allow 192.168.8.10 (Web) > 192.168.9.10:TCP 1521

This limits access to the data to JUST the IP and Port of the database
server.

With a rule like this you can NOT PING or telnet to the DB server, since
you didn't create a PING/Telnet rule to permit access.

If you setup improper rules your web server could allow external users
to compromise your database - please contact the firewall administrator
to make the proper changes for you.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Site Timeline