{"id":320,"date":"2020-05-15T08:50:28","date_gmt":"2020-05-15T06:50:28","guid":{"rendered":"https:\/\/anjo.pt\/wp\/keyword-oracle\/?p=320"},"modified":"2020-05-15T08:50:30","modified_gmt":"2020-05-15T06:50:30","slug":"oci-azure-and-oracle-db-firewall-and-security-rules","status":"publish","type":"post","link":"https:\/\/anjo.pt\/keyword-oracle\/2020\/05\/15\/oci-azure-and-oracle-db-firewall-and-security-rules\/","title":{"rendered":"OCI \/ Azure and Oracle DB: firewall and security rules"},"content":{"rendered":"\n

Many of the problems with VMs on Clouds are related to firewall or security rules. Here some elements that might help.<\/p>\n\n\n\n

These examples are based on Oracle Linux 7.7 virtual machines.<\/p>\n\n\n\n

Firewall: check if it is running<\/h2>\n\n\n\n

When is loaded and running (active) is shows like:<\/p>\n\n\n

\n[bash][opc@alfama ~]$ sudo systemctl status firewalld \n\u25cf firewalld.service - firewalld - dynamic firewall daemon\nLoaded: loaded (\/usr\/lib\/systemd\/system\/firewalld.service; enabled; vendor preset: enabled)\nActive: active (running) since Fri 2020-05-15 05:19:12 GMT; 15min ago\nDocs: man:firewalld(1)\nMain PID: 1640 (firewalld)\nTasks: 2\nMemory: 33.2M\nCGroup: \/system.slice\/firewalld.service\n\u2514\u25001640 \/usr\/bin\/python2 -Es \/usr\/sbin\/firewalld --nofork --nopid\n<\/pre><\/div>\n\n\n
When it is loaded but stopped:<\/p>\n\n\n
\n[opc@alfama ~]$ sudo systemctl status firewalld -l\n\u25cf firewalld.service - firewalld - dynamic firewall daemon\nLoaded: loaded (\/usr\/lib\/systemd\/system\/firewalld.service; enabled; vendor preset: enabled)\nActive: inactive (dead) since Fri 2020-05-15 05:36:09 GMT; 7s ago\nDocs: man:firewalld(1)\nProcess: 1640 ExecStart=\/usr\/sbin\/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0\/SUCCESS)\nMain PID: 1640 (code=exited, status=0\/SUCCESS)\n<\/pre><\/div>\n\n\n
Firewall: check ports open<\/h2>\n\n\n
\n[opc@boavista ~]$ sudo firewall-cmd --list-all\npublic (active)\n  target: default\n  icmp-block-inversion: no\n  interfaces: eth0\n  sources:\n  services: dhcpv6-client ssh\n  ports: 1521\/tcp\n  protocols:\n  masquerade: no\n  forward-ports:\n  source-ports:\n  icmp-blocks:\n  rich rules:\n<\/pre><\/div>\n\n\n
Firewall: open Oracle listener port<\/h2>\n\n\n\n
If we want to open the default listener port, two commands are needed. One for adding the rule and another to enable the new rule:<\/p>\n\n\n
\n[opc@mouraria bin]$ sudo firewall-cmd --zone=public --permanent --add-port=1521\/tcp\n[opc@mouraria bin]$ sudo firewall-cmd --reload\n<\/pre><\/div>\n\n\n
Firewall: allow ping reponses<\/h2>\n\n\n\n
Ping uses a separate protocol. To allow the VMs to answer pings, this rule needs to be added to the firewall:<\/p>\n\n\n
\n[opc@mouraria bin]$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0\/0 -d 0.0.0.0\/0 -j ACCEPT\n[opc@mouraria bin]$ sudo systemctl restart firewalld.service\n<\/pre><\/div>\n\n\n
On OCI, to be able to ping between hosts, it might be necessary to add an Ingress rule that allows pings. The rule should look like below. The most important is the Protocol ICMP and type 8. The source CIDR should not be larger than the VCN CIDR.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Test if port is open:<\/h2>\n\n\n\n
To check if the remote port is open, I use the follow commands. This works both with IPs or hostnames and also lets you know if port is open, but listener is not running (on this port):<\/p>\n\n\n
\n[opc@alfama ~]$ ### PORT UNREACHEABLE, SERVER DOWN\/WRONG? ###\n[opc@alfama ~]$ export CHECK_IP="10.1.2.4\/1521"\n[opc@alfama ~]$ timeout 1 bash -c '<\/dev\/tcp\/${CHECK_IP} && echo Port ${CHECK_IP} is open || echo Port ${CHECK_IP} is closed' || echo Connection timeout\nConnection timeout\n\n[opc@alfama ~]$ ### PORT OPEN, USING HOSTNAME ###\n[opc@alfama ~]$ export CHECK_IP="luz.subnetpriv2\/1521"\n[opc@alfama ~]$ timeout 1 bash -c '<\/dev\/tcp\/${CHECK_IP} && echo Port ${CHECK_IP} is open || echo Port ${CHECK_IP} is closed' || echo Connection timeout\nPort luz.subnetpriv2\/1521 is open\n\n[opc@alfama ~]$ ### PORT OPEN, USING IP ###\n[opc@alfama ~]$ timeout 1 bash -c '<\/dev\/tcp\/${CHECK_IP} && echo Port ${CHECK_IP} is open || echo Port ${CHECK_IP} is closed' || echo Connection timeout\nPort 10.1.5.3\/1521 is open\n\n[opc@alfama ~]$ ### PORT CLOSED ###\n[opc@alfama ~]$ export CHECK_IP="luz.subnetpriv2\/1522"\n[opc@alfama ~]$ timeout 1 bash -c '<\/dev\/tcp\/${CHECK_IP} && echo Port ${CHECK_IP} is open || echo Port ${CHECK_IP} is closed' || echo Connection timeout\nbash: connect: No route to host\nbash: \/dev\/tcp\/luz.subnetpriv2\/1522: No route to host\nPort luz.subnetpriv2\/1522 is closed\n\n[opc@alfama ~]$ ### PORT OPEN but LISTENER DOWN ###\n[opc@alfama ~]$ timeout 1 bash -c '<\/dev\/tcp\/${CHECK_IP} && echo Port ${CHECK_IP} is open || echo Port ${CHECK_IP} is closed' || echo Connection timeout\nbash: connect: Connection refused\nbash: \/dev\/tcp\/10.1.5.3\/1521: Connection refused\nPort 10.1.5.3\/1521 is closed\n<\/pre><\/div>\n\n\n
Bonus<\/h2>\n\n\n\n
At Oracle OCI, one can access other VMs of the VCN using the <hostname>.<subnet> <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
On Azure, the <hostname> is enough to access other host of the VNet.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Many of the problems with VMs on Clouds are related to firewall or security rules. Here some elements that might help. These examples are based on Oracle Linux 7.7 virtual machines. Firewall: check if it is running When is loaded and running (active) is shows like: When it is loaded but stopped: Firewall: check ports […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[55,56,54,57],"class_list":{"0":"post-320","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-oracle","7":"tag-azure","8":"tag-firewall","9":"tag-oci","10":"tag-ping","11":"czr-hentry"},"_links":{"self":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/comments?post=320"}],"version-history":[{"count":7,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/320\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/posts\/320\/revisions\/329"}],"wp:attachment":[{"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/media?parent=320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/categories?post=320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anjo.pt\/keyword-oracle\/wp-json\/wp\/v2\/tags?post=320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}