Shorewall and MySQL problem

Hi!

I have MySQL server running on Debian (Sarge) and now when I installed
Shorewall (ver. 2.2.3) I cant figure out how to enable remote connection
via MySQL ODBC. Remote connection works fine when Shorewall is not
running but when Shorewall is on (and restarted) no rules added to
/etc/shorewall/rules seems to help. Any ideas what I should try?

ps. I first configured Shorewall to deny everything coming from net. For
what I know the rules section is the place where to configure what can
come through. Right?

-tj

On Sat, 10 Feb 2007 18:02:47 +0200, tj wrote:
>
> I have MySQL server running on Debian (Sarge) and now when I installed
> Shorewall (ver. 2.2.3) I cant figure out how to enable remote connection
> via MySQL ODBC. Remote connection works fine when Shorewall is not
> running but when Shorewall is on (and restarted) no rules added to
> /etc/shorewall/rules seems to help. Any ideas what I should try?

I put variables in shorewall params and used then in shorewall files.
I would have guessed something like
ACCEPT net:$GUEST_IP $FW - mysql
in rules with something like
GUEST_IP=192.168.2.30
in params would work.

Anything besides blacklist changes require you to restart shorewall.

> ps. I first configured Shorewall to deny everything coming from net. For
> what I know the rules section is the place where to configure what can
> come through. Right?

That is where I poke holes in my setup. I am running Mandriva linux so
I would look in /var/log/messages to see if Shorewall posted a log
message about what was blocked.


Destination ports of intrest may be
mysql 3306/udp # MySQL
mysql-cluster 1186/tcp # MySQL Cluster Manager
mysql-cluster 1186/udp # MySQL Cluster Manager
mysql-im 2273/tcp # MySQL Instance Manager
mysql-im 2273/udp # MySQL Instance Manager
mysql 3306/ MySQL

Some light reading found at http://www.shorewall.net/Documentation_Index.html

Thanks for fast reply!

Bit Twister wrote:
>
> I put variables in shorewall params and used then in shorewall files.
> I would have guessed something like
> ACCEPT net:$GUEST_IP $FW - mysql
> in rules with something like
> GUEST_IP=192.168.2.30
> in params would work.
>

Currently I have in rules(/etc/shorewall/rules) (I know Im _new_ in this
environment as admin):

ACCEPT net:[two "," separated ip addrs] fw tcp mysql

I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
does nothing ie. cant ping the server from outside. What am I doing
Wrong here?


> Anything besides blacklist changes require you to restart shorewall.

Done that.



> Some light reading found at http://www.shorewall.net/Documentation_Index.html


Thanks I know but I dont have time right now...

On Sat, 10 Feb 2007 20:02:05 +0200, tj wrote:
>
> I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
> does nothing ie. cant ping the server from outside. What am I doing
> Wrong here?

Mixing your apples and oranges I guess.
Port 22 is ssh not mysql and you can not ping servcies.
"Does nothing" may indicate service is not running.

If you meant ping that can because system
is setup to just drop pings. Mine does.

>> Some light reading found at
http://www.shorewall.net/Documentation_Index.html
> Thanks I know but I dont have time right now...

Ok, we understand, you get back with us when you have the time.

To improve your Usenet experience I'll suggest
http://www.catb.org/~esr/faqs/smart-questions.html
with out skimming.

Bit Twister wrote:
> On Sat, 10 Feb 2007 20:02:05 +0200, tj wrote:
>> I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
>> does nothing ie. cant ping the server from outside. What am I doing
>> Wrong here?
>
> Mixing your apples and oranges I guess.

This sounds somewhat familiar...

> Port 22 is ssh not mysql and you can not ping servcies.
> "Does nothing" may indicate service is not running.
Nor it is 3xxx what it shoulod be.


> Ok, we understand, you get back with us when you have the time.

Im very sorry. Totally my mistake.



>
> To improve your Usenet experience I'll suggest
> http://www.catb.org/~esr/faqs/smart-questions.html
> with out skimming.

so?

Here are the lines I added that solved this problem (First shorewall and
last mysql):

rules
-----
ACCEPT net:[ip,ip,ip] fw all


policy
------
loc all ACCEPT
fw all ACCEPT
net all DROP info
all all REJECT info


interface
---------
net eth0 detect dhcp
loc eth1 detect dhcp


zones
-----
net Net The Internet
loc Local Local Network
dmz DMZ demilzone


shorewall.conf
--------------
IP_FORWARDING=On
DROPINVALID=Yes


/etc/default/shorewall
----------------------
startup=1


mysql
-----
GRANT ALL PRIVILEGES ON *.* TO [user]@[IPs in Rules] IDENTIFIED BY [PASSWD];












ps. Thanks to BiTwster for the advice and for kicking my arse for being
rude...

On Sun, 11 Feb 2007 19:41:58 +0200, tj wrote:
> Here are the lines I added that solved this problem (First shorewall and
> last mysql):
>
> rules
> -----
> ACCEPT net:[ip,ip,ip] fw all

Well, now the system accepts any connection besides mysql for ip,ip,ip
It is a solution for mysql, but your server is now more at risk from
[ip,ip,ip]

When your server is cracked from [ip,ip,ip] and used to attack other
systems, YOU are to blame for not setting a tighter rule.

Do take just a minute to read the /troubleshooting/ link found at
http://www.shorewall.net/Documentation_Index.html
/Connection Problems/ is where I would like to see the minute spent.

> interface
> ---------
> net eth0 detect dhcp

Now you can add some net options and get a tighter wall. I'll suggest
routefilter,tcpflags


> shorewall.conf
> --------------

Did you look in that file to see where your shorewall log messages are sent.

> ps. Thanks to BiTwster for the advice and for kicking my arse for being
> rude...

Anytime. 8-)

Bit Twister wrote:
>> rules
>> -----
>> ACCEPT net:[ip,ip,ip] fw all
>
> Well, now the system accepts any connection besides mysql for ip,ip,ip
> It is a solution for mysql, but your server is now more at risk from
> [ip,ip,ip]
>
Yes but those ips belong to computers I can reach without getting up.
Can you force a computer to show spesific ip outside nowadays? )*1

> When your server is cracked from [ip,ip,ip] and used to attack other
> systems, YOU are to blame for not setting a tighter rule.
>

I _tried_ to test this server to be secure from any kinds of attacks
from outside. See question )*1 above


> Do take just a minute to read the /troubleshooting/ link found at
> http://www.shorewall.net/Documentation_Index.html
> /Connection Problems/ is where I would like to see the minute spent.
>

I will, but right now I don't have the time.

On Sun, 11 Feb 2007 20:28:23 +0200, tj wrote:
> Bit Twister wrote:
>>
>> Well, now the system accepts any connection besides mysql for ip,ip,ip
>> It is a solution for mysql, but your server is now more at risk from
>> [ip,ip,ip]
>>
> Yes but those ips belong to computers I can reach without getting up.

I read an article a few days ago. 80% are internal cracks from
disgruntled employees.

Noticed you are posting from windows. With /known/ malware signature count
past the half a million mark, I would have to treat any doze box on
the lan like it was an external connection.


> I _tried_ to test this server to be secure from any kinds of attacks
> from outside.

Security is designed in up front, not added later by testing.

The first line of defense is the firewall and it only lets the
required ips access for /only/ the services they require. Not the wild
card service access you granted.

Servers are being cracked through applications running behind the
firewall via poor programming practices.

The first, it seems, are programmers are no longer validating input
before using it.

As an "Oh by the way", webmin is a nice remote access gui tool for
managing shorewall.

I assume you did set the routestopped values.

Bit Twister wrote:

> I read an article a few days ago. 80% are internal cracks from
> disgruntled employees.

Please post references to that article.

>
> Noticed you are posting from windows. With /known/ malware signature count
> past the half a million mark, I would have to treat any doze box on
> the lan like it was an external connection.

This xp is on a different lan.

>> I _tried_ to test this server to be secure from any kinds of attacks
>> from outside.
>
> Security is designed in up front, not added later by testing.
>
That I do disagree. At least parts of it.



> The first line of defense is the firewall and it only lets the
> required ips access for /only/ the services they require. Not the wild
> card service access you granted.
>
Agreed.



> Servers are being cracked through applications running behind the
> firewall via poor programming practices.
>
Agreed.

> The first, it seems, are programmers are no longer validating input
> before using it.
>
Agreed.