My Oracle Support Banner

ECC V12 OCI Image Containing Some Unwanted Entries In Nftables (Doc ID 3036147.1)

Last updated on JULY 24, 2024

Applies to:

Oracle Enterprise Command Center Framework - Version 12.2.12 and later
Information in this document applies to any platform.

Symptoms


After deploying the OCI Marketplace image for ECC V12 (- "Oracle-EBS-ECC-Image-V12-2024.05.20" - at the time of writing this Note), some unwanted entries were found in nftables.
When comparing that to similar OCI image deployed for ECC V11 there were some extra entries observed to the rules already in place:

a) in ECC V11 OCI Marketplace image:

================
$ sudo nft list ruleset |grep 7776 -B5 -A2

chain filter_IN_public_allow {
  tcp dport 22 ct state { new, untracked } accept
  ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
  tcp dport 9090 ct state { new, untracked } accept
  tcp dport 7776 ct state { new, untracked } accept
}
================


b) on ECC V12 similar image - same command output is:

================
chain filter_IN_public_allow {
  tcp dport 22 ct state { new, untracked } accept
  ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
  tcp dport 9090 ct state { new, untracked } accept
  tcp dport 7776 ct state { new, untracked } accept
  tcp dport 8000 ct state { new, untracked } accept
  ip saddr 10.3.xxx.xxx tcp dport 1521 ct state { new, untracked } accept
  ip saddr 158.101.xxx.xxx tcp dport 7776 ct state { new, untracked } accept
  ip saddr 158.xxx.xxx.xxx tcp dport 7776 ct state { new, untracked } accept
}
================


Doing an IP address lookup on some third party site indicated that:
- 158.101.xxx.xxx is for an Oracle Cloud Region,
- 158.xxx.xxx.xxx is for some third party entity.
- while that 10.3.xxx.xxx as being a private Class A IP address range, (not accessible from outside networks) - that may be related to other internal machine (- i.e. Oracle Database server for instance judging by that port - 1521).


The expected behaviour would be to include only the Ports and IP addresses that are needed / absolutely required for that OCI ECC Image (Oracle-EBS-ECC-Image-V12-2024.05.20) to work fine.
Other additional ports and IP addresses should not be included in that ntf list.


The steps to replicate that would imply:

1. Deploy the ECC V11 OCI Marketplace image;
2. Deploy the ECC V12 OCI Marketplace image;
3. Check and compare the rules using a command like:
$ sudo nft list ruleset |grep 7776 -B5 -A2


Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.