[omniORB] Firewalling omniORB question.

Michael J. Donahue mdonahue@McLeodUSA.com
Tue, 27 Feb 2001 16:12:29 -0600 



Unfortunately, I cannot run the Name Service on the firewall.  It is a
propriatary machine.  Guess I should have added that to the senario...

But I do appreciate the answer.  Thanks!   Any other ideas???

- Mike Donahue





"Cary O'Brien" <cobrien@Radix.Net> on 02/27/2001 04:06:55 PM

To:   Michael J. Donahue/MCLEOD@MCLEOD
cc:
Subject:  Re: [omniORB] Firewalling omniORB question.



>
>
>
> All -
>
> We're trying to setup omniORB 2.8.0 to work with clients on the outside of a
> firewall, and the Name Service and server on the inside of the firewall.  The
> only problem is, that each of our servers are setup with multiple interfaces,
> each on a different internal network.  Nobody is able to guarantee us that the
> first interface configured on the servers will be the one that we want to have
> the Names Service available on for the firewalled clients, so we set the
> -BOAiiop_name_port to the same hostname as the -ORBInitialHost and we set the
> port portion to a port number one greater than the -ORBInitialPort on the Name
> Service machine.
>
> omniNames -start 15000 -ORBInitialHost corbanamesserver.domain.com
> -ORBInitialPort 15000 -BOAiiop_name_port corbanamesserver.domain.com:15001
>
> Our goals include:
> *   We cannot change the well known port for the Name Service. (this has
already
> been published for non-firewalled clients and servers)
> *   We cannot expect the network interfaces to be in any specific order.
> *   We need to be able to setup omniNames to be usable from any specified port
> on any specified interface.
> *   We need to be able to change to omniORB 3.0.3 in the near future with both
> BOA and POA ability.
>
> omniORB.cfg on the client
> ORBInitialHost  corbanamesserver.domain.com
> ORBInitialPort   15000
>
> Is this the "right" way to resolve the issue?  What problems might we have
with
> this setup?  Is there a better way that we haven't thought of?  If so what are
> the trade-offs?
>

I was going to suggest using a proxy on the firewall like redir to redirect the
connection to the correct interface on the correct machine inside the firewall,
but after thinking about it I suspect this will mess up the object references
that
your nameserver sends back to the client.

So I guess you have to run the nameserver on the firewall.

But then, won't the object references stored in the nameserver running on the
firewall contain internal ip addresses?  Hmm...  I've run into the same thing
with SNMP, where IP addresses are inside the protocol as well as in the
IP header.

So you may need an application level proxy that understands IIOP.  Or do
these already exist.

-- cary  more-confused-than-when-i-started