tomclegg.net


Diary
Examples
    256-router
    adzap
    apache-double-reverse
    cacti-adodb-php4
    debian-quota
    diskonmodule
    dollarsperbyte
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    macbook-quantal-sound
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    nodefaultroute
    oracle9i
    oracle9i-bsd5
    oracle9i-client
  >oracle9i-nat<
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    pizzaperdollar
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
    racoon-sonicwall
    redundant-vpn
    rewriterule
    seahorse-workaround
    setting-locale-failed
    smalldog
    snmpv3-cacti
    spamassassin
    squid-tproxy
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    switch-virtualbox-virsh
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen-monowall
    xen3-ubuntu-dapper
    zz-update-grub-fail
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones




colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
google-earth-saucy-amd64
houserules
liberating
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

Oracle 9i server behind a firewall with NAT
Posted August 21, 2003

You want to put your Oracle 9i server ("planb" at 10.10.2.9) behind a NAT router, and access it from outside the router (any client in 128.100.31.0/24).

+--------+ public +--------------+ private +----------------+
| client |--------| firewall+nat |---------| oracle (planb) |
+--------+        +--------------+         +----------------+

I assume your router already has:

  • FreeBSD 4
  • options IPDIVERT and options IPFIREWALL in your kernel
  • daemontools installed and svscan running
  • Service directories in /var/service
  • Symlinks to service directories in /service

To run natd under daemontools on the router, create /var/service/natd/run:

#!/bin/sh
killall -9 natd 2>/dev/null
exec fghack natd -f ./natd.conf

Create /var/service/natd/natd.conf (change xl0 to your outside network interface, and change 10.10.2.9 to your Oracle server's private IP address):

interface xl0
dynamic
unregistered_only
redirect_port tcp 10.10.2.9:1521 1521

Enable the service.

fw# chmod +x /var/service/natd/run
fw# ln -s /var/service/natd /service/

Create (or add to) /etc/firewall to allow connections from clients to 10.10.2.9:1521. Change 128.100.31.0/24 to your clients' IP block.

-f flush
add allow ip from any to any via lo0
add divert natd ip from any to any via xl0
add deny ip from 10.0.0.0/8 to any in recv xl0
add allow tcp from any to any established
add allow tcp from 128.100.31.0/24 to 10.10.2.9 1521 setup
add unreach port tcp from any to any
add unreach port udp from any to any
add deny ip from any to any

Add to /etc/rc.conf:

firewall_type=/etc/firewall

Apply the new firewall rules:

fw# nohup ipfw /etc/firewall