DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd May 2008
renolinux renolinux is offline
New User
 
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default BSD n00b needs to block incoming SQL on 3306

Hi, I suppose an introduction is necessary. I'm a long time linux admin but one of my customers has BSD boxes. I've figured most everything out except IPFW. Every time I try to implement it, I lock myself out of the server. I've followed 2 or 3 tutorials on setting up an all openfirewall that you can close down to whatever you want, but I always lock out all connections to all ports.

I just need to limit connections to port 3306 to a handful of IP's. What is the best way to go about this?

Thank you very much for your help.
Reply With Quote
  #2   (View Single Post)  
Old 22nd May 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Thanked 4 Times in 10 Posts
Default

I haven't done IPFW in years but i think it's something like this

#Block all
ipfw add deny all from any to any 3306 in via <interface>

# Allow a few
ipfw add allow tcp from <ip>,<ip> to any 3306 in via <interface>
Reply With Quote
  #3   (View Single Post)  
Old 22nd May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Or, a quick simple fix to /etc/hosts.allow

mysqld : 192.168.1.0/24 : allow
mysqld : ALL : deny

* DISCLAIMER: I'm presently at work, exactly 36 miles away from my BSD system, and connection to said system is down due to a rather unusual (for Arizona anyways) rain storm. So uhh, I can't test the above. It's either mysqld or mysql. Don't forget to comment out the ALL : ALL : allow line at the top of the file, or you'll completely over-ride anything you set below that and scratch your head for hours trying to figure out why it doesn't work when "it should."

Also, be sure to restart mysqld after the above change. Oh - and of course, change 192.168.1.0/24 to whatever your config is.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #4   (View Single Post)  
Old 25th May 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 699
Thanked 90 Times in 81 Posts
Default

The default rule (number 65536) is "deny ip from any to any". Which means if you load the ipfw.ko kernel module, all network traffic will stop.

To change the default rule to "allow ip from any to any", you have to recompile the kernel with options IPFIREWALL_DEFAULT_TO_ACCEPT.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 26th May 2008
chris chris is offline
Port Guard
 
Join Date: May 2008
Location: United Kingdom
Posts: 35
Thanked 6 Times in 3 Posts
Default

phoenix is correct, I ran into the same problem myself and was quite annoyed to find that this 'hidden' rule wasn't mentioned by quite a few different resources. You can either follow the steps that phoenix has given or if you are loading ipfw via kldload you should use the following

Code:
kldload ipfw && ipfw -q add 65000 allow all from any to any
You can also add the following to your /etc/rc.conf

Code:
firewall_enable="YES"
firewall_type="open"
which will load ipfw when the system boots up and also stop it from defaulting to block all.
Reply With Quote
  #6   (View Single Post)  
Old 27th May 2008
Starhost Starhost is offline
New User
 
Join Date: May 2008
Posts: 4
Thanked 0 Times in 0 Posts
Default

I would personnaly go for PF. I find it much simpler to configure and the user base / examples on the net seems to be larger,
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix incoming only on external vdubjunkie General software and network 5 7th June 2009 08:02 PM
Tomcat n00b error disappearedng FreeBSD General 0 18th November 2008 05:14 AM
edonkey n00b question disappearedng FreeBSD General 5 17th November 2008 10:09 AM
n00b Eclipse question disappearedng FreeBSD General 3 3rd November 2008 05:29 PM
A few FreeBSD n00b questions zelut FreeBSD General 1 7th October 2008 07:13 PM


All times are GMT. The time now is 12:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick