Very Computer

Hi!

I have MySQL server running on Debian (Sarge) and now when I installed
Shorewall (ver. 2.2.3) I cant figure out how to enable remote connection
via MySQL ODBC. Remote connection works fine when Shorewall is not
running but when Shorewall is on (and restarted) no rules added to
/etc/shorewall/rules seems to help. Any ideas what I should try?

ps. I first configured Shorewall to deny everything coming from net. For
what I know the rules section is the place where to configure what can
come through. Right?

-tj

I put variables in shorewall params and used then in shorewall files.
I would have guessed something like
        ACCEPT        net:$GUEST_IP       $FW     -     mysql
in rules with something like
         GUEST_IP=192.168.2.30
in params would work.

Anything besides blacklist changes require you to restart shorewall.

Quote:> ps. I first configured Shorewall to deny everything coming from net. For
> what I know the rules section is the place where to configure what can
> come through. Right?

That is where I poke holes in my setup. I am running Mandriva linux so
I would look in /var/log/messages to see if Shorewall posted a log
message about what was blocked.

Destination ports of intrest may be
            mysql 3306/udp # MySQL
            mysql-cluster 1186/tcp # MySQL Cluster Manager
            mysql-cluster 1186/udp # MySQL Cluster Manager
            mysql-im 2273/tcp # MySQL Instance Manager
            mysql-im 2273/udp # MySQL Instance Manager
            mysql 3306/ MySQL

Some light reading found at http://www.shorewall.net/Documentation_Index.html

Thanks for fast reply!

Currently I have in rules(/etc/shorewall/rules) (I know Im _new_ in this
environment as admin):

ACCEPT net:[two "," separated ip addrs] fw tcp mysql

I have tried word "all" instead of tcp and also, "ACCEPT net fw tcp 22"
does nothing ie. cant ping the server from outside. What am I doing
Wrong here?

Quote:> Anything besides blacklist changes require you to restart shorewall.

Done that.

Quote:> Some light reading found at http://www.shorewall.net/Documentation_Index.html

Thanks I know but I dont have time right now...

Mixing your apples and oranges I guess.
Port 22 is ssh not mysql and you can not ping servcies.
"Does nothing" may indicate service is not running.

If you meant ping that can because system
is setup to just drop pings. Mine does.

Quote:>> Some light reading found at

                     http://www.shorewall.net/Documentation_Index.html

Quote:> Thanks I know but I dont have time right now...

Ok, we understand, you get back with us when you have the time.

To improve your Usenet experience I'll suggest
   http://www.catb.org/~esr/faqs/smart-questions.html
with out skimming.

This sounds somewhat familiar...

Quote:> Port 22 is ssh not mysql and you can not ping servcies.
> "Does nothing" may indicate service is not running.

Nor it is 3xxx what it shoulod be.

Quote:> Ok, we understand, you get back with us when you have the time.

Im very sorry. Totally my mistake.

Quote:

> To improve your Usenet experience I'll suggest
>    http://www.catb.org/~esr/faqs/smart-questions.html
> with out skimming.

so?

Here are the lines I added that solved this problem (First shorewall and
last mysql):

rules
-----
ACCEPT  net:[ip,ip,ip]  fw      all

policy
------
loc     all     ACCEPT
fw      all     ACCEPT
net     all     DROP    info
all     all     REJECT  info

interface
---------
net     eth0    detect  dhcp
loc     eth1    detect  dhcp

zones
-----
net     Net     The Internet
loc     Local   Local Network
dmz     DMZ     demilzone

shorewall.conf
--------------
IP_FORWARDING=On
DROPINVALID=Yes

/etc/default/shorewall
----------------------
startup=1

mysql
-----

ps. Thanks to BiTwster for the advice and for kicking my arse for being
rude...

Well, now the system accepts any connection besides mysql for ip,ip,ip
It is a solution for mysql, but your server is now more at risk from
[ip,ip,ip]

When your server is cracked from [ip,ip,ip] and used to attack other
systems, YOU are to blame for not setting a tighter rule.

Do take just a minute to read the /troubleshooting/ link found at
   http://www.shorewall.net/Documentation_Index.html
/Connection Problems/ is where I would like to see the minute spent.

Quote:> interface
> ---------
> net        eth0    detect  dhcp

Now you can add some net options and get a tighter wall. I'll suggest
routefilter,tcpflags

Quote:> shorewall.conf
> --------------

Did you look in that file to see where your shorewall log messages are sent.

Quote:> ps. Thanks to BiTwster for the advice and for kicking my arse for being
> rude...

Anytime.  8-)

Yes but those ips belong to computers I can reach without getting up.
Can you force a computer to show spesific ip outside nowadays? )*1

Quote:> When your server is cracked from [ip,ip,ip] and used to attack other
> systems, YOU are to blame for not setting a tighter rule.

I _tried_ to test this server to be secure from any kinds of attacks
from outside. See question )*1 above

Quote:> Do take just a minute to read the /troubleshooting/ link found at
>    http://www.shorewall.net/Documentation_Index.html
> /Connection Problems/ is where I would like to see the minute spent.

I will, but right now I don't have the time.

I read an article a few days ago. 80% are internal cracks from
disgruntled employees.

Noticed you are posting from windows. With /known/ malware signature count
past the half a million mark, I would have to treat any doze box on
the lan like it was an external connection.

Quote:> I _tried_ to test this server to be secure from any kinds of attacks
> from outside.

Security is designed in up front, not added later by testing.

The first line of defense is the firewall and it only lets the
required ips access for /only/ the services they require. Not the wild
card service access you granted.

Servers are being cracked through applications running behind the
firewall via poor programming practices.

The first, it seems, are programmers are no longer validating input
before using it.

As an "Oh by the way", webmin is a nice remote access gui tool for
managing shorewall.

I assume you did set the routestopped values.

Please post references to that article.

Quote:

> Noticed you are posting from windows. With /known/ malware signature count
> past the half a million mark, I would have to treat any doze box on
> the lan like it was an external connection.

This xp is on a different lan.

Quote:>> I _tried_ to test this server to be secure from any kinds of attacks
>> from outside.

> Security is designed in up front, not added later by testing.

That I do disagree. At least parts of it.

Quote:> The first line of defense is the firewall and it only lets the
> required ips access for /only/ the services they require. Not the wild
> card service access you granted.

Agreed.

Quote:> Servers are being cracked through applications running behind the
> firewall via poor programming practices.

Agreed.

Quote:> The first, it seems, are programmers are no longer validating input
> before using it.

Agreed.

I had looked for it when I posted and could not find it.  :(
Basically it was the empoyee passed over for consideration, poor
raise, were pretty sure they were going to be laid off, troublemaker
types. Of course there always  the plain ole thief.

You have to admit, employees surfing from the Employer's network does
not help keep out malware. Criminals are targeting the employee inside
the Employer's net to gain access.

I could see how an intrusion report would rather say disgruntled emp
rather than cracker access.   :(