open port numbers behind the firewall - Firewalls

This is a discussion on open port numbers behind the firewall - Firewalls ; Before adding the firewall, the applications are up and running. My understanding is that the firewall is in front of websphere server and database server. Now, the websphere server cannot connect to database server on port 1521, that means port ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: open port numbers behind the firewall

  1. open port numbers behind the firewall

    Before adding the firewall, the applications are up and running. My
    understanding is that the firewall is in front of websphere server and
    database server. Now, the websphere server cannot connect to database
    server on port 1521, that means port 1521 needs to be open on database
    server side? Do we need to open the same port 1521 on websphere server
    too? I cannot ping, cannot telnet from websphere to database.


    please advice. thanks a lot!!

  2. Re: open port numbers behind the firewall

    Steve wrote:
    > Before adding the firewall, the applications are up and running. My
    > understanding is that the firewall is in front of websphere server and
    > database server. Now, the websphere server cannot connect to database
    > server on port 1521, that means port 1521 needs to be open on database
    > server side?


    The port probably is open on the database server, but you'll also need
    to configure the firewall to allow traffic to that port on the database
    server.

    > Do we need to open the same port 1521 on websphere server too?


    Unlikely.

    > I cannot ping, cannot telnet from websphere to database.


    So?

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: open port numbers behind the firewall


    > > Do we need to open the same port 1521 on websphere server too?

    >
    > Unlikely.


    We need to open the port that the database server listens from the
    websphere server's request. But what port the websphere listens on the
    response from the database server?

    I think the similar analogy is like the web browser. When we go to
    http://www.google.com, the google server listens on port 80 for the
    requests from the web browser. how about the data send back from the
    web server to the web browser, what port web browser listens?

    >
    > > I cannot ping, cannot telnet from websphere to database.

    >
    > So?
    >
    > cu
    > 59cobalt
    > --
    > "If a software developer ever believes a rootkit is a necessary part of
    > their architecture they should go back and re-architect their solution."
    > --Mark Russinovich



  4. Re: open port numbers behind the firewall

    Hi,

    > I think the similar analogy is like the web browser. When we go to
    > http://www.google.com, the google server listens on port 80 for the
    > requests from the web browser. how about the data send back from the
    > web server to the web browser, what port web browser listens?


    Depending on the OS anything from either 1-65365 or 1024-65365.
    The originating port ist not important, the firewall can track the
    connection.

    You should ask someone, who is proficient with security to help you
    design and setup the network and security measures.

    Cheers,
    Jens


  5. Re: open port numbers behind the firewall

    Steve wrote:
    > Before adding the firewall, the applications are up and running. My
    > understanding is that the firewall is in front of websphere server and
    > database server. Now, the websphere server cannot connect to database
    > server on port 1521 [...]


    > please advice. thanks a lot!!


    Talk to your sysadmin folks and explain what you need to achieve.

    Chris

  6. Re: open port numbers behind the firewall

    In article 12e81ab10baa@w39g2000prb.googlegroups.com>, javacc2@gmail.com says...
    > Before adding the firewall, the applications are up and running. My
    > understanding is that the firewall is in front of websphere server and
    > database server. Now, the websphere server cannot connect to database
    > server on port 1521, that means port 1521 needs to be open on database
    > server side? Do we need to open the same port 1521 on websphere server
    > too? I cannot ping, cannot telnet from websphere to database.
    >
    >
    > please advice. thanks a lot!!
    >


    If the firewall is in front of BOTH the Web/DB server, but the Web and
    DB server are in different networks (and they should be), then you need
    to map a rule between the web servers firewall network and the database
    servers network for the port that it communicates on.

    Firewall PUBLIC Port (some public IP)
    Firewall WEB Sv Port (192.168.8.10/24) just making up a network
    Firewall DB Sv Port (192.168.9.10/24) just making up a network

    By default here is no access between 192.168.8 and 192.168.9 networks,
    you have to make a rule between them

    Your rule should be as specific as possible, something like this:

    Allow 192.168.8.10 (Web) > 192.168.9.10:TCP 1521

    This limits access to the data to JUST the IP and Port of the database
    server.

    With a rule like this you can NOT PING or telnet to the DB server, since
    you didn't create a PING/Telnet rule to permit access.

    If you setup improper rules your web server could allow external users
    to compromise your database - please contact the firewall administrator
    to make the proper changes for you.


    --
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  7. Re: open port numbers behind the firewall

    Steve wrote:
    >>> Do we need to open the same port 1521 on websphere server too?

    >>
    >> Unlikely.

    >
    > We need to open the port that the database server listens from the
    > websphere server's request. But what port the websphere listens on the
    > response from the database server?


    That's irrelevant. The response from the database server will take the
    same route as the request, only in the opposite direction. If the
    firewall is stateful (which it should be), you don't need to do anything
    other than allow requests to the database server's port.

    > I think the similar analogy is like the web browser. When we go to
    > http://www.google.com, the google server listens on port 80 for the
    > requests from the web browser. how about the data send back from the
    > web server to the web browser, what port web browser listens?


    Web browsers don't listen on any port. It's the same as described above.
    The response goes back through the already established connection.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

+ Reply to Thread