This content has been marked as final. Show 5 replies
CarlosinFL wrote:There are options available in sqlnet.ora, but this really is not the proper place to do ip filtering. I suppose if you are wanting to restrict it to just two IPs, you are speaking of the IP of an application server, not the ip of an end-user's desktop.
I was asked if it was possible to restrict which users / or client IP's connect to my Oracle 11.2 database. I guess I could just shutdown the listener and have me and one other DBA connect to it via SSH / LOCALHOST but I was wondering if there was a more DBA specific way to restrict client connections to just two specific IP's over the Oracle listening port?
Thanks for any info...
We had a similar requirement recently in my shop.
We looked at traditional firewall rules, SQL*NET Valid Node checking, and a database logon trigger.
We went with a logon trigger in our situation, but it is not a perfect solution in itself, and not the right solution for everyone.
If you have an Enterprise Edition licence, you might want to look at using a Connection Manager. You can design reasonably clever rules for which hosts or IP addresses (or entire subnets) are allowed to connect to which services.
EdStevens wrote:Actually it's the other way around and I apologize as I obviously have no experience or business being a DBA but would like to eventually become one. I just would like to know the protocol for a DBA if he did in fact want to only allow particular end-user desktop IP's. Our application server is only Clearquest and it's sadly also running locally on the same Linux box that has Oracle Database 11g installed. I would also like to eventually stand up a dedicated Oracle database server and just have the Clearquest (application server?) connect to the dedicated Oracle box.
There are options available in sqlnet.ora, but this really is not the proper place to do ip filtering. I suppose if you are wanting to restrict it to just two IPs, you are speaking of the IP of an application server, not the ip of an end-user's desktop.
There's more than one Option to do, one of them is like ed said thru sqlnet.ora using tcp.validnode_checking , another way can you use is thru oracle profile connect_time or using network firewall.