[omniORB] Firewalling omniORB question.
Cary O'Brien
cobrien@Radix.Net
Thu, 1 Mar 2001 08:55:37 -0500 (EST)
[question about letting clients outside the firewall access a service]
>
>
>
> Unfortunately, I cannot run the Name Service on the firewall. It is a
> propriatary machine. Guess I should have added that to the senario...
>
> But I do appreciate the answer. Thanks! Any other ideas???
>
Sure (I love this stuff).
I did a search for corba and proxy and found out that mico had an option to
force the IP address encoded in IORs to be something different than the IP
address of the host. I looked at the omniorb options and found this option
-ORBpoa_iiop_name_port <hostname[:port no.]> See section 6.2.
This lets you specify the ip address encoded in outgoing object
references. I thought that this might force omniORB to also bind the
listen socket to this address [more on this later] but this is not the
case, it always binds to 0.0.0.0 (I checked with strace), but at the
specified port number.
I verified that the specified ip shows up in the stringified IOR. I have
not run a test on object references passed as return arguments.
So...
The good news: It seems as if if you a) put a hole in your firewall to
redirect tcp connections to your server (i.e. with redir), and use
-ORBpoa_iiop_name_port firewall_ip:portno
when you start your server, you may be able to generate proper IOR strings
(that point to the firewall), and outside users will be able to access
the server. I have not tested this.
The bad news: internal corba clients may get confused. They will either
always have to go to the outside firewall address to connect, or they will
use, say, a corbloc address pointing to an internal IP, but the object
references will point to the firewall IP address.
Another Observation: It would be good if there were an omniORB option that
specified which port to bind to -- I can think of some DMZ/Firewall configurations
where you would want a corba server to listen on only one of the interfaces.
You may be able to use the ip filtering capability of the server, but it
would be better to not bind at all to the wrong interface.
Yet another observation: Another feature would be to be able to generate
IORs/object references based on client IP range. I have had to do similar
stuff with different protocols. That way the external clients always go
through the firewall and the internal clients go directly using internal
IP addresses. Could you do this with different POAs?
Yet another observation:
IONA apparently had a product called wonderwall that passed CORBA
through a firewall. IT doesn't seem to exist any more.
Disclamer:
I did test that the -ORBpoa_iiop_name_port option causes stringfified IORs
to have the specified ip address, and that the server always binds to
all interfaces. I did not test any more.
I'm fairly interested in this stuff, since I may be called on to set up
a similar configuration in the not too distant future.
-- cary