There are several ways that you can limit remote network access on the storage servers. You can restrict Inbound network access to the storage server by implementing a top-down filtering rule set that defines access by user account and origin. You can also define a custom rule set to allow or deny access according to U.S. Department of Defense and PCI-DSS requirements.
Caution - Use caution when implementing nondefault policies to ensure that access to the system is not interrupted. When you add new individual rules, the changes take effect immediately. |
To implement a rule set, perform this procedure.
# /opt/oracle.cellos/host_access_control access --status
This command exports the rule set to an ASCII text file:
# /opt/oracle.cellos/host_access_control access-export --file filename
# /opt/oracle.cellos/host_access_control access --open
# /opt/oracle.cellos/host_access_control access --close
Export the current rule set to an ASCII text file:
# /opt/oracle.cellos/host_access_control access-export --file filename
Use an editor to edit the text file to configure the rule set.
Import the rule set from the text file, overriding the existing rule set:
# /opt/oracle.cellos/host_access_control access-import --file filename
This method includes allowing and denying access based on these parameters:
Username – Valid values include either the keyword all or one or more valid, local account user names.
Origin – Valid values include either the keyword all or individual entries that describe the source of system access including from the console, virtual console, Oracle ILOM, IP address, network address, host name, or DNS domain.
In this example, access to the storage server is granted to the celladmin user when the connection is initiated from the trustedhost.example.orghost, or any host within the .trusted.example.com domain.
# /opt/oracle.cellos/host_access_control access --add --user celladmin \ --origins trustedhost.example.org,.trusted.example.com