How to limit Oracle to use specific ports

configurationNetworkoracleoracle-9ioracle-fail-safe

I've built a new Oracle 9iR2 instance on a Windows 2003 32-bit cluster. Of course, it's version 9i for reasons out of my control. Several application servers connect to this instance, and each opens several DEDICATED connections that they keep open for their work.

This instance is in a locked-down environment, so my network guys want to seal off as many ports as possible. To do that, I need to tell them precisely what ports or port ranges the instance needs open.

I've skimmed the Listener documentation, and I can see that I can change the default Listener port of 1521. However, every connection these application servers open against the database appears to get its own TCP port.

Is there any way to limit the range of ports these servers will use to connect to the database?

Best Answer

If the listener runs on port 1521 of the database server and you open a dedicated connection then the socket pair that constitutes that connection is from client:clientport to dbserver:1521.

If you have connections of the type dbserver:serverport to client:clientport than you don't have a dedicated connection but you have a multithreaded server (or shared sever in higher version) running. You can restrict the possible number of ports used by the server by configuring the ports of the dispatcher explicitly.

Oracle9i Net Services Administrator's Guide Release 2 (9.2) Part Number A96580-02

14 Configuring Shared Server

Example: Dispatcher Address with PORT To force the exact location of the dispatchers, add the PORT as follows in the init.ora file or spfile:

DISPATCHERS="(ADDRESS=(PROTOCOL=tcp) (HOST=144.25.16.201)(PORT=5000))(DISPATCHERS=1)" DISPATCHERS="(ADDRESS=(PROTOCOL=tcp) (HOST=144.25.16.201)(PORT=5001))(DISPATCHERS=1)"

Related Solutions

Windows – Ports necessary for Oracle 11g Replication across a firewall

I don't think any other ports than the listener ports are required. I suspect that the ports need to be open on your source AND target database/firewall, allowing both incoming and outgoing connections. Also, the host running RMAN has to be able to reach the listener ports, but that's probably default.

If tnsping works to both servers from the host you are running RMAN from, i think you should be all set.

Oracle 11g Listener – Fix ORA-12514 and ORA-12505 Errors

So, with thanks to @YasirArsanukaev for the time he put in, I have found a solution which works, but which I can't really explain.

Riffing on the LOCAL_LISTENER thought, I was reading this other answer where it said:

The database uses the LOCAL_LISTENER parameter to identify the listener it should register with. By default that is null, which according to the documentation is equivalent to hostname:1521.

So I tried to ping my own hostname and couldn't - it looks like some IPv6 problem, receiving a general failure message.

So I took the advice from that answer

SQL> alter system set LOCAL_LISTENER='(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))' scope=both;
SQL> alter system register;

and it now works, presumably because it can resolve the localhost reference, where it was failing the resolve the actual hostname.

Best Answer

Related Solutions

Windows – Ports necessary for Oracle 11g Replication across a firewall

Oracle 11g Listener – Fix ORA-12514 and ORA-12505 Errors

Related Question