Seeking advice on Openlink/Informix Database Rules

[kfriend]

Hello everyone, it's the newb again!

I'm making fairly good progress with my firewall so far, thanks mostly to this forum and alot of trial and error.

I need some advice on setting up rules to allow access to our informix server using Openlink ODBC. This is a Client/Server app.

Here's a document I came across that may make more sense to you than it does to me:

http://www.openlinksw.com/support/portuse.htm

My site is running a perimeter firewall, then we're running the pix in front of all of our important servers as another layer of security (keep insiders out of stuff they shouldn't be in).

So basically everything except my servers are considered "outside".

Any help with what I need to do rule-wise would be greatly appreciated.

thanks.

 

[yizhar]

HI.

I have looked at that article.
The bottom line as much as I could figure is that this application uses dynamic TCP ports from 5000 and above, and UDP port 60001.

Let's assume that internal IP address range is 192.168.1.0/24

You can modify the PortLow key in the Rule Book to be for example 60000 . This is not a must, but can help you to better identify the openlink traffic.


I would go like this in your case:
static (inside,outside) x.x.x.x y.y.y.y
access-list fromoutside permit udp 192.168.1.0 255.255.255.0 host x.x.x.x eq 60001
access-list fromoutside permit tcp 192.168.1.0 255.255.255.0 host x.x.x.x gt 60000
OR Instead you can use the range operator:
access-list fromoutside permit tcp 192.168.1.0 255.255.255.0 host x.x.x.x range 60000 65000

The fact that you open a broad range of ports, still gives you the ability to block other ports, especially those well known ports below 1024, and since only the informix server should be listening on those high ports, your security policy will be OK and much better then no firewall at all.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar