 DB2 and IPchains
suppose the following scenario:

a DB2 server - intranet
a DB2 client - DMZ


how should I configure IPchains on firewall ?


Sat, 07 Sep 2002 03:00:00 GMT
Unfortunately, I can't give you a working example, but I give you the
background information you need to set it up yourself.

With DB2, all communication is initiated by the client (even when the
server flows information to the client, it's on a link that the client
established).  So, this means that you need to allow communication from
the DMZ to the intranet for the IP address of the server.  This, of
course, leaves a fairly big hole and you can tighten it:

1) The server uses two well-defined ports.  Look at the SVCENAME entry
in the database manager configuration.  This name can be looked up in
/etc/services to determine the base port that DB2 uses.  The other port
is one greater and is used for interrupt processing.  You only need to
allow TCP packets on these ports for DB2 to work.

An example: My server has its SVCENAME set to "xdoole".  In
/etc/services, xdoole is defined as 19140/tcp.  This means that a
firewall would only need to allow TCP packets on ports 19140 and 19141
through to my DB2 server.

2) If your client is at a fixed IP address in the DMZ, only allow
connections from that address to go through the firewall.

Hope this helps.
    Doug Doole
    DB2 Universal Database Development
    IBM Toronto Labs

Sun, 08 Sep 2002 03:00:00 GMT
