I’m trying to configure a Standalone Database Firewall in-line between the clients and the protected database so it can block some statements. I’ve followed the Installation Guide and the Administration Guide, but can’t get it working. I’ve configured one Enforcement Point with one Protected Database.
I’ve configured Database Firewall with three Ethernet cards:
eth0 is used for Management (IP. 192.168.1.81)
eth1 and eth2 are associated with Bridged interface br0
The protected database is listening in 172.16.40.3:1521.
The clients are in subnet 192.168.1.x.
I’ve configured the Traffic Source br0 with the IP 172.16.40.2 and is enabled as the Traffic Source in the Enforcement Point.
In the configuration file appliance.conf corresponding to the Enforcement Point, I’ve seen the parameter PROXYPORT=1534, so I understand the clients should connect to this port in Database Firewall in order to access the protected database. Is this assumption correct? Is the configuration I’ve done correct? Are there any additional configuration steps that should be made? Is there any documentation about this configuration files?
For in-line blocking mode to work out of the box it is necessary that DB Client's IPs (as they are seen in DBFW), br0 and DB IP are all on the same subnet. If this is not the case you would need to fiddle with routing on the DBFW manually which you are discouraged to do because it's unlikely to be persistent, work correctly after upgrades etc... DBFW is not intended to be a router although it can be made to perform this function. In general I would advise you to stay within the supported configuration and just make sure you network infrastructure is ready for DBFW deployment. IE make sure all these IPs are on the same subnet