Implement oracle firewall using valid node checking

When installing the new R12.2.6 Vision VM Template, I quickly ran into an issue where I was able to connect to the database using port 1521 locally, but not from a remote machine.  All networking was in order and ssh, and ping were all indicating good connectivity, but when looking at the listener log, I discovered that this was happening:

<msg time=’2017-06-13T22:04:21.700-04:00′ org_id=’oracle’ comp_id=’tnslsnr’
type=’UNKNOWN’ level=’16’ host_id=’apps.example.com’
host_addr=’10.0.1.105′>
<txt>TNS-12546: TNS:permission denied
TNS-12560: TNS:protocol adapter error
TNS-00516: Permission denied
Linux Error: 115: Operation now in progress
</txt>
</msg>
<msg time=’2017-06-13T22:04:36.662-04:00′ org_id=’oracle’ comp_id=’tnslsnr’
type=’UNKNOWN’ level=’16’ host_id=’apps.example.com’
host_addr=’10.0.1.105′>
<txt>Incoming connection from 10.0.1.11 rejected
</txt>
</msg>

Then when I queried google on some of this text, a blog came up at this location: InformationSecurityBuzz.com

This article talks about setting up the sqlnet_ifile.ora file with:

tcp.validnode_checking=yes
tcp.invited_nodes=(apps.example.com)

And I remembered that I did something like that following the oracle ebs Vision 12.2.6 install guide.
Screenshot from page 16 of Oracle eBS R12.2.6 Vision Install GuideYep, I caused my own pain.  So the solution was to edit this file and add any client nodes I want to connect in a comma-delimited list between the parenthesis (IP addrs OK.)

Then restart the server.

Helpful documents:
Readable Version of Blog Post
R12.2.6 Vision Install Guide

Leave a Reply