Shorewall and MySQL problem - Networking

This is a discussion on Shorewall and MySQL problem - Networking ; Hi! I have MySQL server running on Debian (Sarge) and now when I installed Shorewall (ver. 2.2.3) I cant figure out how to enable remote connection via MySQL ODBC. Remote connection works fine when Shorewall is not running but when ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Shorewall and MySQL problem

  1. Shorewall and MySQL problem

    Hi!

    I have MySQL server running on Debian (Sarge) and now when I installed
    Shorewall (ver. 2.2.3) I cant figure out how to enable remote connection
    via MySQL ODBC. Remote connection works fine when Shorewall is not
    running but when Shorewall is on (and restarted) no rules added to
    /etc/shorewall/rules seems to help. Any ideas what I should try?

    ps. I first configured Shorewall to deny everything coming from net. For
    what I know the rules section is the place where to configure what can
    come through. Right?

    -tj

  2. Re: Shorewall and MySQL problem

    On Sat, 10 Feb 2007 18:02:47 +0200, tj wrote:
    >
    > I have MySQL server running on Debian (Sarge) and now when I installed
    > Shorewall (ver. 2.2.3) I cant figure out how to enable remote connection
    > via MySQL ODBC. Remote connection works fine when Shorewall is not
    > running but when Shorewall is on (and restarted) no rules added to
    > /etc/shorewall/rules seems to help. Any ideas what I should try?


    I put variables in shorewall params and used then in shorewall files.
    I would have guessed something like
    ACCEPT net:$GUEST_IP $FW - mysql
    in rules with something like
    GUEST_IP=192.168.2.30
    in params would work.

    Anything besides blacklist changes require you to restart shorewall.

    > ps. I first configured Shorewall to deny everything coming from net. For
    > what I know the rules section is the place where to configure what can
    > come through. Right?


    That is where I poke holes in my setup. I am running Mandriva linux so
    I would look in /var/log/messages to see if Shorewall posted a log
    message about what was blocked.


    Destination ports of intrest may be
    mysql 3306/udp # MySQL
    mysql-cluster 1186/tcp # MySQL Cluster Manager
    mysql-cluster 1186/udp # MySQL Cluster Manager
    mysql-im 2273/tcp # MySQL Instance Manager
    mysql-im 2273/udp # MySQL Instance Manager
    mysql 3306/ MySQL

    Some light reading found at http://www.shorewall.net/Documentation_Index.html

  3. Re: Shorewall and MySQL problem

    Thanks for fast reply!

    Bit Twister wrote:
    >
    > I put variables in shorewall params and used then in shorewall files.
    > I would have guessed something like
    > ACCEPT net:$GUEST_IP $FW - mysql
    > in rules with something like
    > GUEST_IP=192.168.2.30
    > in params would work.
    >


    Currently I have in rules(/etc/shorewall/rules) (I know Im _new_ in this
    environment as admin):

    ACCEPT net:[two "," separated ip addrs] fw tcp mysql

    I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
    does nothing ie. cant ping the server from outside. What am I doing
    Wrong here?


    > Anything besides blacklist changes require you to restart shorewall.


    Done that.



    > Some light reading found at http://www.shorewall.net/Documentation_Index.html



    Thanks I know but I dont have time right now...

  4. Re: Shorewall and MySQL problem

    On Sat, 10 Feb 2007 20:02:05 +0200, tj wrote:
    >
    > I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
    > does nothing ie. cant ping the server from outside. What am I doing
    > Wrong here?


    Mixing your apples and oranges I guess.
    Port 22 is ssh not mysql and you can not ping servcies.
    "Does nothing" may indicate service is not running.

    If you meant ping that can because system
    is setup to just drop pings. Mine does.

    >> Some light reading found at

    http://www.shorewall.net/Documentation_Index.html
    > Thanks I know but I dont have time right now...


    Ok, we understand, you get back with us when you have the time.

    To improve your Usenet experience I'll suggest
    http://www.catb.org/~esr/faqs/smart-questions.html
    with out skimming.

  5. Re: Shorewall and MySQL problem

    Bit Twister wrote:
    > On Sat, 10 Feb 2007 20:02:05 +0200, tj wrote:
    >> I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
    >> does nothing ie. cant ping the server from outside. What am I doing
    >> Wrong here?

    >
    > Mixing your apples and oranges I guess.


    This sounds somewhat familiar...

    > Port 22 is ssh not mysql and you can not ping servcies.
    > "Does nothing" may indicate service is not running.

    Nor it is 3xxx what it shoulod be.


    > Ok, we understand, you get back with us when you have the time.


    Im very sorry. Totally my mistake.



    >
    > To improve your Usenet experience I'll suggest
    > http://www.catb.org/~esr/faqs/smart-questions.html
    > with out skimming.


    so?

  6. Re: Shorewall and MySQL problem - solved

    Here are the lines I added that solved this problem (First shorewall and
    last mysql):

    rules
    -----
    ACCEPT net:[ip,ip,ip] fw all


    policy
    ------
    loc all ACCEPT
    fw all ACCEPT
    net all DROP info
    all all REJECT info


    interface
    ---------
    net eth0 detect dhcp
    loc eth1 detect dhcp


    zones
    -----
    net Net The Internet
    loc Local Local Network
    dmz DMZ demilzone


    shorewall.conf
    --------------
    IP_FORWARDING=On
    DROPINVALID=Yes


    /etc/default/shorewall
    ----------------------
    startup=1


    mysql
    -----
    GRANT ALL PRIVILEGES ON *.* TO [user]@[IPs in Rules] IDENTIFIED BY [PASSWD];












    ps. Thanks to BiTwster for the advice and for kicking my arse for being
    rude...

  7. Re: Shorewall and MySQL problem - solved

    On Sun, 11 Feb 2007 19:41:58 +0200, tj wrote:
    > Here are the lines I added that solved this problem (First shorewall and
    > last mysql):
    >
    > rules
    > -----
    > ACCEPT net:[ip,ip,ip] fw all


    Well, now the system accepts any connection besides mysql for ip,ip,ip
    It is a solution for mysql, but your server is now more at risk from
    [ip,ip,ip]

    When your server is cracked from [ip,ip,ip] and used to attack other
    systems, YOU are to blame for not setting a tighter rule.

    Do take just a minute to read the /troubleshooting/ link found at
    http://www.shorewall.net/Documentation_Index.html
    /Connection Problems/ is where I would like to see the minute spent.

    > interface
    > ---------
    > net eth0 detect dhcp


    Now you can add some net options and get a tighter wall. I'll suggest
    routefilter,tcpflags


    > shorewall.conf
    > --------------


    Did you look in that file to see where your shorewall log messages are sent.

    > ps. Thanks to BiTwster for the advice and for kicking my arse for being
    > rude...


    Anytime. 8-)

  8. Re: Shorewall and MySQL problem - solved

    Bit Twister wrote:
    >> rules
    >> -----
    >> ACCEPT net:[ip,ip,ip] fw all

    >
    > Well, now the system accepts any connection besides mysql for ip,ip,ip
    > It is a solution for mysql, but your server is now more at risk from
    > [ip,ip,ip]
    >

    Yes but those ips belong to computers I can reach without getting up.
    Can you force a computer to show spesific ip outside nowadays? )*1

    > When your server is cracked from [ip,ip,ip] and used to attack other
    > systems, YOU are to blame for not setting a tighter rule.
    >


    I _tried_ to test this server to be secure from any kinds of attacks
    from outside. See question )*1 above


    > Do take just a minute to read the /troubleshooting/ link found at
    > http://www.shorewall.net/Documentation_Index.html
    > /Connection Problems/ is where I would like to see the minute spent.
    >


    I will, but right now I don't have the time.

  9. Re: Shorewall and MySQL problem - solved

    On Sun, 11 Feb 2007 20:28:23 +0200, tj wrote:
    > Bit Twister wrote:
    >>
    >> Well, now the system accepts any connection besides mysql for ip,ip,ip
    >> It is a solution for mysql, but your server is now more at risk from
    >> [ip,ip,ip]
    >>

    > Yes but those ips belong to computers I can reach without getting up.


    I read an article a few days ago. 80% are internal cracks from
    disgruntled employees.

    Noticed you are posting from windows. With /known/ malware signature count
    past the half a million mark, I would have to treat any doze box on
    the lan like it was an external connection.


    > I _tried_ to test this server to be secure from any kinds of attacks
    > from outside.


    Security is designed in up front, not added later by testing.

    The first line of defense is the firewall and it only lets the
    required ips access for /only/ the services they require. Not the wild
    card service access you granted.

    Servers are being cracked through applications running behind the
    firewall via poor programming practices.

    The first, it seems, are programmers are no longer validating input
    before using it.

    As an "Oh by the way", webmin is a nice remote access gui tool for
    managing shorewall.

    I assume you did set the routestopped values.

  10. Re: Shorewall and MySQL problem - solved

    Bit Twister wrote:

    > I read an article a few days ago. 80% are internal cracks from
    > disgruntled employees.


    Please post references to that article.

    >
    > Noticed you are posting from windows. With /known/ malware signature count
    > past the half a million mark, I would have to treat any doze box on
    > the lan like it was an external connection.


    This xp is on a different lan.

    >> I _tried_ to test this server to be secure from any kinds of attacks
    >> from outside.

    >
    > Security is designed in up front, not added later by testing.
    >

    That I do disagree. At least parts of it.



    > The first line of defense is the firewall and it only lets the
    > required ips access for /only/ the services they require. Not the wild
    > card service access you granted.
    >

    Agreed.



    > Servers are being cracked through applications running behind the
    > firewall via poor programming practices.
    >

    Agreed.

    > The first, it seems, are programmers are no longer validating input
    > before using it.
    >

    Agreed.



  11. Re: Shorewall and MySQL problem - solved

    On Mon, 12 Feb 2007 20:42:55 +0200, tiizei wrote:
    > Bit Twister wrote:
    >
    >> I read an article a few days ago. 80% are internal cracks from
    >> disgruntled employees.

    >
    > Please post references to that article.


    I had looked for it when I posted and could not find it.
    Basically it was the empoyee passed over for consideration, poor
    raise, were pretty sure they were going to be laid off, troublemaker
    types. Of course there always the plain ole thief.

    You have to admit, employees surfing from the Employer's network does
    not help keep out malware. Criminals are targeting the employee inside
    the Employer's net to gain access.

    I could see how an intrusion report would rather say disgruntled emp
    rather than cracker access.

+ Reply to Thread