AIX IP filtering and Oracle

[Popesy]

Hi

Running AIX6.1 with oracle 10.2g.  I am currently using aixpert to harden the OS.  The high settings have been applied (with all the usual precautions i.e. not locking root), however there is one sticky point - using 'shun' host/port with the IPSec element of the 'high' level configuration.

As I understand it the shun config protects various ports, that is ok - but it seems to stop oracle working.  I am not a DBA, but understand that oracle uses port 1521 (maybe others as an increment on this port) and not any of  the ports that are configured to be protected by the 'shun' setting.

Any thoughts of how I may overcome this?

I guess I could potentially drop the IPSec config altogether, but I would like to understand why Oracle reacts as it does.

Cheers

JP

[Michael]

A couple of things that you can do to troubleshoot this is log the ipsec filtering activity.

lsfilt -v4 -O will list all the current rules - logging might be disabled on the rules. If so, you will need to modify the rules using smitty, or the chfilt command.

In /etc/syslogd.conf add a line like:
local4.info            /data/logs/syslog/local4.info     rotate time 1d size 1m

and before refreshing the syslogd touch the file name. Files must exist beforehand or syslogd will not write to them.

then run the command:

mkfilt -g start -v 4

to actiually start the logging.

lsfilt -v4 -a lists the active filters - the dynamic deny filters are the ones created by the SHUN mechanism.