{"id":4698,"date":"2021-05-18T07:49:56","date_gmt":"2021-05-18T07:49:56","guid":{"rendered":"https:\/\/swiv.com.br\/opening-ports-in-db-system-internal-firewall\/"},"modified":"2026-05-27T20:02:32","modified_gmt":"2026-05-27T19:02:32","slug":"opening-ports-in-db-system-internal-firewall","status":"publish","type":"post","link":"https:\/\/swiv.com.br\/index.php\/2021\/05\/18\/opening-ports-in-db-system-internal-firewall\/","title":{"rendered":"Opening Ports in DB System Internal Firewall"},"content":{"rendered":"\n

Como j\u00e1 foi mencionado em alguns artigos sobre OCI, devido a pertinente preocupa\u00e7\u00e3o que devemos ter em rela\u00e7\u00e3o a seguran\u00e7a dos ambientes criados, temos 2 camadas para libera\u00e7\u00e3o de portas em um DB System: Security Lists e o Firewall interno da m\u00e1quina (Iptables). Aqui, vamos simular a cria\u00e7\u00e3o de um novo listener, que usa a porta 1522, e os procedimentos necess\u00e1rios para a sua utiliza\u00e7\u00e3o.<\/p>\n\n\n\n

Logando no ambiente com o usu\u00e1rio oracle, criando o arquivo listener.ora com o conte\u00fado do novo listener:<\/p>\n\n\n

\n[opc@luxor ~]$ sudo su - oracle\nLast login: Tue May 18 07:16:11 UTC 2021\n[oracle@luxor ~]$ cd $ORACLE_HOME\/network\/admin\n[oracle@luxor admin]$ vi listener.ora\n<\/pre><\/div>\n\n\n
Conte\u00fado dos par\u00e2metros respeitando os valores corretos do ambiente:<\/p>\n\n\n
\nINSULA=\n  (DESCRIPTION=\n    (ADDRESS_LIST=\n      (ADDRESS=(PROTOCOL=tcp)(HOST=luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT=1522))\n      (ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))\n  )\n \nSID_LIST_INSULA=\n  (SID_LIST=\n    (SID_DESC=\n      (GLOBAL_DBNAME=CORTEX_phx1hb)\n      (ORACLE_HOME=\/u01\/app\/oracle\/product\/12.2.0.1\/dbhome_1)\n      (SID_NAME=CORTEX))\n)\n<\/pre><\/div>\n\n\n
Iniciando o novo listener:<\/p>\n\n\n
\n[oracle@luxor admin]$ lsnrctl start INSULA\n \nLSNRCTL for Linux: Version 12.2.0.1.0 - Production on 18-MAY-2021 07:18:43\n \nCopyright (c) 1991, 2016, Oracle.  All rights reserved.\n \nStarting \/u01\/app\/oracle\/product\/12.2.0.1\/dbhome_1\/bin\/tnslsnr: please wait...\n \nTNSLSNR for Linux: Version 12.2.0.1.0 - Production\nSystem parameter file is \/u01\/app\/oracle\/product\/12.2.0.1\/dbhome_1\/network\/admin\/listener.ora\nLog messages written to \/u01\/app\/oracle\/diag\/tnslsnr\/luxor\/insula\/alert\/log.xml\nListening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT=1522)))\nListening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))\n \nConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT=1522)))\nSTATUS of the LISTENER\n------------------------\nAlias                     INSULA\nVersion                   TNSLSNR for Linux: Version 12.2.0.1.0 - Production\nStart Date                18-MAY-2021 07:18:43\nUptime                    0 days 0 hr. 0 min. 0 sec\nTrace Level               off\nSecurity                  ON: Local OS Authentication\nSNMP                      OFF\nListener Parameter File   \/u01\/app\/oracle\/product\/12.2.0.1\/dbhome_1\/network\/admin\/listener.ora\nListener Log File         \/u01\/app\/oracle\/diag\/tnslsnr\/luxor\/insula\/alert\/log.xml\nListening Endpoints Summary...\n  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT=1522)))\n  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=extproc)))\nServices Summary...\nService "CORTEX_phx1hb" has 1 instance(s).\n  Instance "CORTEX", status UNKNOWN, has 1 handler(s) for this service...\nThe command completed successfully\n[oracle@luxor admin]$ lsnrctl service INSULA\n \nLSNRCTL for Linux: Version 12.2.0.1.0 - Production on 18-MAY-2021 07:18:56\n \nCopyright (c) 1991, 2016, Oracle.  All rights reserved.\n \nConnecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT=1522)))\nServices Summary...\nService "CORTEX_phx1hb" has 1 instance(s).\n  Instance "CORTEX", status UNKNOWN, has 1 handler(s) for this service...\n    Handler(s):\n      "DEDICATED" established:0 refused:0\n         LOCAL SERVER\nThe command completed successfully\n<\/pre><\/div>\n\n\n
Adicionando uma nova string no arquivo tnsnames.ora na m\u00e1quina do DB-System:<\/p>\n\n\n
\n[oracle@luxor admin]$ vi tnsnames.ora\n<\/pre><\/div>\n\n
\nCORTEX_INSULA =\n  (DESCRIPTION =\n    (ADDRESS = (PROTOCOL = TCP)(HOST = luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT = 1522))\n    (CONNECT_DATA =\n      (SERVER = DEDICATED)\n      (SID = CORTEX)\n    )\n  )\n<\/pre><\/div>\n\n\n
Realizando teste de tnsping e validando a sua conex\u00e3o (que teoricamente deve dar certo pois o acesso de origem est\u00e1 dentro da subnet, ou seja, n\u00e3o teria de passar pelas regras do Security List ou Iptables):<\/p>\n\n\n
\n[oracle@luxor admin]$ tnsping CORTEX_INSULA\n \nTNS Ping Utility for Linux: Version 12.2.0.1.0 - Production on 18-MAY-2021 07:21:07\n \nCopyright (c) 1997, 2016, Oracle.  All rights reserved.\n \nUsed parameter files:\n\/u01\/app\/oracle\/product\/12.2.0.1\/dbhome_1\/network\/admin\/sqlnet.ora\n \n \nUsed TNSNAMES adapter to resolve the alias\nAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = luxor.luxorsubnet.luxorvcn.oraclevcn.com)(PORT = 1522)) (CONNECT_DATA = (SERVER = DEDICATED) (SID = CORTEX)))\nOK (0 msec)\n[oracle@luxor admin]$ sqlplus system@CORTEX_INSULA\n \nSQL*Plus: Release 12.2.0.1.0 Production on Tue May 18 07:21:21 2021\n \nCopyright (c) 1982, 2016, Oracle.  All rights reserved.\n \nEnter password:\nLast Successful login time: Tue May 18 2021 07:08:55 +00:00\n \nConnected to:\nOracle Database 12c EE Extreme Perf Release 12.2.0.1.0 - 64bit Production\n \nSQL> SELECT NAME,OPEN_MODE,CDB FROM V$DATABASE;\n \nNAME      OPEN_MODE            CDB\n--------- -------------------- ---\nCORTEX    READ WRITE           YES\n<\/pre><\/div>\n\n\n
Agora pego essa mesma string de conex\u00e3o, exceto pelo host, que eu substituo pelo IP p\u00fablico da m\u00e1quina, e adiciono no arquivo tnsnames.ora do meu notebook pessoal:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Ao fazer o teste de tnsping, vemos que n\u00e3o \u00e9 poss\u00edvel chegar no ambiente:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Assim, vamos at\u00e9 a Subnet onde reside nossa m\u00e1quina que hospeda o DB-System, e adicionamos na Security List uma regra para a porta 1522, que \u00e9 utilizada em nosso novo listener:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Regra criada com sucesso:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Por\u00e9m, ao tentar realizar o teste de conex\u00e3o novamente, o mesmo erro \u00e9 reportado:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Isso nos indica que algum bloqueio ainda ocorre, fora da camada da Security List. Assim, vamos para a camada de firewall interno do S.O (Iptables). Logando com o usu\u00e1rio root, vamos realizar um backup das configura\u00e7\u00f5es atuais, para caso de rollback:<\/p>\n\n\n
\n[oracle@luxor admin]$ exit\nlogout\n[opc@luxor ~]$ sudo su -\nLast login: Tue May 18 07:24:42 UTC 2021\n[root@luxor ~]# iptables-save > \/tmp\/iptables.OLD\n[root@luxor ~]# ls -lthr \/tmp\/iptables.OLD\n-rw-r--r-- 1 root root 4.8K May 18 07:31 \/tmp\/iptables.OLD\n[root@luxor ~]#\n<\/pre><\/div>\n\n\n
Adicionando regra para a porta 1522:<\/p>\n\n\n
\n[root@luxor ~]# iptables -I INPUT 8 -p tcp -m state --state NEW -m tcp --dport 1522 -j ACCEPT -m comment --comment "Listener INSULA"\n[root@luxor ~]#\n<\/pre><\/div>\n\n\n
Validando status do Iptables:<\/p>\n\n\n
\n[root@luxor ~]# service iptables status\nRedirecting to \/bin\/systemctl status iptables.service\n\u25cf iptables.service - IPv4 firewall with iptables\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/iptables.service; enabled; vendor preset: disabled)\n   Active: active (exited) since Tue 2021-05-18 06:48:54 UTC; 47min ago\n  Process: 1089 ExecStart=\/usr\/libexec\/iptables\/iptables.init start (code=exited, status=0\/SUCCESS)\n Main PID: 1089 (code=exited, status=0\/SUCCESS)\n   CGroup: \/system.slice\/iptables.service\n \nMay 18 06:48:54 luxor systemd[1]: Starting IPv4 firewall with iptables...\nMay 18 06:48:54 luxor iptables.init[1089]: iptables: Applying firewall rules: [  OK  ]\nMay 18 06:48:54 luxor systemd[1]: Started IPv4 firewall with iptables.\n<\/pre><\/div>\n\n\n
Salvando arquivo alterado no sysconfig:<\/p>\n\n\n
\n[root@luxor ~]# service iptables save\niptables: Saving firewall rules to \/etc\/sysconfig\/iptables:[  OK  ]\n[root@luxor ~]#\n<\/pre><\/div>\n\n\n
Ap\u00f3s isso, j\u00e1 podemos constatar que o teste de tnsping j\u00e1 resolve com sucesso:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Conectando no ambiente para ter certeza:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Obs: Este procedimento foi criado pelo senhor Ahmed Baraka (www.ahmedbaraka.com) e foi apenas reproduzido por mim em um laborat\u00f3rio pessoal para fins de aprendizado.<\/p>\n","protected":false},"excerpt":{"rendered":"
Como j\u00e1 foi mencionado em alguns artigos sobre OCI, devido a pertinente preocupa\u00e7\u00e3o que devemos ter em rela\u00e7\u00e3o a seguran\u00e7a dos ambientes criados, temos 2 camadas para libera\u00e7\u00e3o de portas em um DB System: Security Lists e o Firewall interno da m\u00e1quina (Iptables). Aqui, vamos simular a cria\u00e7\u00e3o de um novo listener, que usa a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-4698","post","type-post","status-publish","format-standard","hentry","category-oci"],"_links":{"self":[{"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/posts\/4698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/comments?post=4698"}],"version-history":[{"count":1,"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/posts\/4698\/revisions"}],"predecessor-version":[{"id":9133,"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/posts\/4698\/revisions\/9133"}],"wp:attachment":[{"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/media?parent=4698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/categories?post=4698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swiv.com.br\/index.php\/wp-json\/wp\/v2\/tags?post=4698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}