Windows Firewall

Over the years, protection has become increasingly more and more difficult to avoid.  It is everywhere, we have high end firewalls to let you, we have high end firewalls to let you out, we have firewalls within firewalls to protect other firewalls, and we also have firewalls on the servers themselves.  Sometimes you spend hours trying to figure out why something is not communicating to something else, and it turns out the good old Windows Firewall is causing your problem.  On the Unix Systems you may encounter firewall rules via the iptables security configuration, but that is another story.

A few weeks ago, while troubleshooting a connection issue, I found an article:  Top 10: Windows Firewall netsh commands and I was very pleased that I had. If you ever try to work through all the rules in Windows Firewall, you will be there awhile.

Tip #1: Turn off Windows Firewall – fastest way to determine if WFW is the problem

netsh advfirewall set allprofiles state on netsh advfirewall set allprofiles state off

Tip #2: Query Windows Firewall

netsh advfirewall firewall show rule name=all

Tip #3: Enable/Disable Ping

Disable: netsh advfirewall firewall add rule name=”All ICMP V4″ dir=in action=block protocol=icmpv4

Enable: netsh advfirewall firewall add rule name=”All ICMP V4″ dir=in action=allow protocol=icmpv4

Tip #4: Add/Remove a Specific Port Rule (i.e. For 1521 Oracle DB)

netsh advfirewall firewall add rule name=”Open Oracle DB Port 1521″ dir=in action=allow protocol=TCP localport=1521

netsh advfirewall firewall delete rule name=”Open Oracle DB Port 1521″ protocol=tcp localport=1521

Tip #5: Enable RDC Remote Desktop Connection

netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

Tip #6: Export/Import Firewall Settings (Same Rules – Multiple Machines)

netsh advfirewall export “C:\WFW-configuration.wfw”

netsh advfirewall import “C:\WFW-configuration.wfw”

Okay, this is a little embarrassing but it points out an important concept.  Sometimes reviewing the basics can save you a lot of time and frustration.

During my last go-live weekend we cut over to a whole new infrastructure for the new HCM 9.2 environment.  This included an external web server for the e-recruiting module that is in use.  The new web server was configured and up and running and the SSL certificates were in place and for testing purposes I put an entry in the hosts file to verify everything worked.  On go-live we had to change the external DNS and NATs for the new servers so that it could work in the DMZ.  According to the network guys everything was done and the only thing they could tell me was that my Weblogic Web Server was not running or not accepting requests.

Now clearly, I was on the actual server and had tested everything so, I know that the Weblogic was working and it was communicating to the application servers.  I could RDC to the server and even map UNC paths to the other servers to get files to and from the old servers.  Clearly communications were working.  It just simply wouldn’t allow http and https traffic.

Turns out that this server was created from a completely different VM template than all my other servers.  When I looked closely I found that the Windows Firewall was turned on and was blocking the web traffic.   Unfortunately this was after about 5 hours of having the network guys looking into the problem.  Now they had to do some work but the problem clearly could have been resolved VERY quickly if I had just thought to look at the settings on the server.  Oh Windows Firewall how you frustrate me.

When starting the install of Oracle Database Server there always seems to be a few items that either you are just suppose to know or you spend a day banging your head against the wall trying to figure out what you need to do to get the install up and running.

First item, is creating a database user and group for the install. Do this as the root user:

# groupadd -g 1001 oinstall
# groupadd -g 1002 dba
# useradd -u 1002 -g oinstall -G dba oracle
# passwd oracle

Next, you need to setup X11 forwarding. Modify the /etc/ssh/ssh_config file to allow forwarding: ForwardX11 yes. I personally use BitVise SSH Client and Xming in order to access my SSH environments. In the Xming client, I change the offset to 10 from the default of 0. In the SSH Client, enable X11 Forwarding and set it to 127.0.0.1:10. On the Unix box, install the xauth rpm using yum install xauth. Connect as the oracle user (or psoft) and create the xauthority file, command: xauth add 127.0.0.1:10 . 12345678900987654321123456789009 – you should be able to validate that x11 works by running xclock – if you see a clock, you are golden! If you see the error: Warning: Cannot convert string “” to type XftFont, do a yum install xorg-x11-fonts*

Firewalls can be a bit of a problem, and you will want to make sure that the iptables firewall allows the database to talk to machines that will be connecting to the database. In this example 10.100.120.10 is my application server connecting to the database server 10.100.120.20:

-A INPUT -s 10.100.120.10 -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 1521 -j ACCEPT
-A OUTPUT -s 10.100.120.20 -p tcp -m state –state ESTABLISHED -m tcp –dport 1024:65535 –sport 1521 -j ACCEPT

RPMs need to installed in order to make the install work correctly, you can manually do everything or you can automate the application by:

# cd /etc/yum.repos.d
# wget https://public-yum.oracle.com/public-yum-ol6.repo –no-check-certificate
# yum install oracle-rdbms-server-11gR2-preinstall
wget https://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle –no-check-certificate

RPM Libraries need to be installed in order to make the OUI work:
binutils-2.17.50.0.6
compat-libstdc++-33-3.2.3
compat-libstdc++-33-3.2.3 (32 bit)
elfutils-libelf-0.125
elfutils-libelf-devel-0.125
gcc-4.1.2
gcc-c++-4.1.2
glibc-2.5-24
glibc-2.5-24 (32 bit)
glibc-common-2.5
glibc-devel-2.5
glibc-devel-2.5 (32 bit)
glibc-headers-2.5
ksh-20060214
libaio-0.3.106
libaio-0.3.106 (32 bit)
libaio-devel-0.3.106
libaio-devel-0.3.106 (32 bit)
libgcc-4.1.2
libgcc-4.1.2 (32 bit)
libstdc++-4.1.2
libstdc++-4.1.2 (32 bit)
libstdc++-devel 4.1.2
make-3.81
sysstat-7.0.2