Block MySQL (port 3306) connects from the outside?

MMacD

I run an Apache server and MariaDB backend locally.  MariaDB listens on 3306.  I don't want anyone from the inet trying to connect to the Maria server.  But I'm not sure I understand how to create a rule to prevent it.

Clearly I need to block port 3306.  But on which interface?  Maria is listening on 3306 on the server box, but I'm guessing the listening propagates to the firewall's 3306 too, presumably on the WAN port to make it visible to the outside.  Yes?  No?  :-\

Help?

mer

Do you intend your Apache server to be visible from WAN?
Is your MariaDB running on the same system as Apache?

Assuming your Apache server and MariaDB are running on the same host, configure MariaDB to listen to only localhost (I'm assuming it can be configured to do that).  If they are not running on the same host, but they are both on the same "side" of your pfSense box (LAN), a block rule "from any/any to mariadbip port 3306" on WAN would work.  But you may not need that;  WAN has a default deny unless it's in response to traffic originated on LAN side.

A simple network picture of the systems would make it easier to help.

KOM

As mer already said, the default WAN rule is to allow nothing in.  Unless you have specifically added a rule on WAN that allows TCP access on 3306, nothing can get there.

MMacD

@mer:

Do you intend your Apache server to be visible from WAN?

No, but I have a .conf rule taking care of that - nobody but the LAN can make requests.

Is your MariaDB running on the same system as Apache?

Yes, everything's on one box as a convenience.

Assuming your Apache server and MariaDB are running on the same host, configure MariaDB to listen to only localhost (I'm assuming it can be configured to do that).

In theory, a my.ini line "bind-address=127.0.0.1" will do it, but there seems to be some question about whether it really works.

If they are not running on the same host, but they are both on the same "side" of your pfSense box (LAN), a block rule "from any/any to mariadbip port 3306" on WAN would work.  But you may not need that;  WAN has a default deny unless it's in response to traffic originated on LAN side.

I think that's what I'm looking for.  I couldn't figure out whether listening on 3306 qualified as "traffic originating on the LAN side", so I thought it'd be safer to have an explicit shut-out for both.

A simple network picture of the systems would make it easier to help.

It's not sophisticated in this instance – just the dev box and the firewall box connected via a dumb hub.  That'll change when I find time to bring up the NAS box, but for right now there's only the two boxes.

MMacD

@KOM:

As mer already said, the default WAN rule is to allow nothing in.  Unless you have specifically added a rule on WAN that allows TCP access on 3306, nothing can get there.

I was just nervous because I couldn't find anything that explained whether listening on a port qualified as an invitation to come in.  It might be worth a mention in the FAQ.

johnpoz

"It might be worth a mention in the FAQ."

huh?? If you do not forward the ports on pfsense.  Then does not matter if you were listening on every single port.  This is basic firewall 101, do we really need to create a faq for this sort of stuff?

KOM

I was just nervous because I couldn't find anything that explained whether listening on a port qualified as an invitation to come in.

Better safe than sorry.  Access to internal resources requires both a port forward/NAT of some type, plus a firewall rule to allow access through the firewall.  If someone inside your house is listening for someone outside, that someone outside won't be able to talk to them unless you open the front door.

MMacD

@johnpoz:

"It might be worth a mention in the FAQ."

huh?? If you do not forward the ports on pfsense.  Then does not matter if you were listening on every single port.  This is basic firewall 101, do we really need to create a faq for this sort of stuff?

Well, I didn't know it, and I made my living writing/managing software.  Not everyone is an expert in everything.

I hope you'll agree that, in general, providing more information is better than providing less.

KOM

Well, I didn't know it, and I made my living writing/managing software.  Not everyone is an expert in everything.

True, but you're kind of expected to know the basics when you're working with an expert-level tool.  Just as Visual Studio (or your IDE of choice) doesn't teach you how to program, pfSense won't guide you through everything.  Unfortunately, if you screw it up with a firewall due to inexperience or lack of knowledge, you end up leaving your ass hanging out on the Internet.  At least you're asking the right questions beforehand.  Most people new to firewalls/networking seem to play around just to get something working without understanding all the potential pitfalls and ramifications of what they did.

mer

And one of the best tools for getting started is a piece of paper and pencil (or whiteboard and markers).  Draw a box that represents the firewall.  draw an arrow representing the outside world.  draw a line representing the inside world, connecting to another box (switch).  draw a few boxes for internal clients, connecting them to the switch.  That's your phyical representation of your network.

Now stand on the firewall, start with "default deny" on all interfaces.  Nothing gets in or out unless explicitly allowed.  That is locked down, your starting point.
Now go to the clients;  decide what traffic out of them you want to allow.  Everything?  HTTP, HTTPS only?  Then you need a rule on the firewall LAN port to allow it.  Work the traffic through the firewall, keeping in mind that the firewall keeps state.  Keeping state means that a response to your outbound traffic is allowed back in.  Repeat as needed for your traffic types, adding in any NAT or redirects from the outside as you need.

Even if you have a single client on the LAN side going to a single WAN out of the firewall, the above exercise makes you understand the whole system and when you add clients or services, you can do it with minimal problems.

Derelict

And there are always experts in the field available for hire if you don't know what you're doing.

I'm not quite sure why so many people think administering a firewall is something anyone ought to be able to do.

Derelict

@mer:

Now stand on the firewall, start with "default deny" on all interfaces.  Nothing gets in or out unless explicitly allowed.  That is locked down, your starting point.

Fixed it for you.

mer

@Derelict:

And there are always experts in the field available for hire if you don't know what you're doing.

I'm not quite sure why so many people think administering a firewall is something anyone ought to be able to do.

"Linksys WRT54G"  is probably why.  :o

mer

@Derelict:

@mer:

Now stand on the firewall, start with "default deny" on all interfaces.  Nothing gets in or out unless explicitly allowed.  That is locked down, your starting point.

Fixed it for you.

Well one could actually "block on interface blah" which would not let anything out, then add "pass out on blah from self to any port xyz".

pf lets you block all in and out on an interface;  of course one needs console interface to configure it then.

Derelict

The problem is the default configuration is to block anything IN except for the default pass rule in on LAN.  In that default configuration, pfSense is free to make OUTBOUND connections itself, such as DNS queries or OpenVPN client connections.

Beginners start to understand things better when they figure out that rules generally allow traffic INTO pfSense, not OUT of it.  With that information they start to understand:

1. What interface a rule should go on
2. What the source information should be
3. what the destination information should be

Floating rules can be used to block outbound traffic on an interface but that is an advanced topic.

mer

As for the way pfSense, I'll concede the point.  :o

I think my method of drawing the picture helps with your 3 points.

MMacD

@KOM:

Well, I didn't know it, and I made my living writing/managing software.  Not everyone is an expert in everything.

True, but you're kind of expected to know the basics when you're working with an expert-level tool.

Actually, I did know the basics.  What I didn't know was the answer to that one rather obscure point.

I started to wonder about it because, although I had the default block-everything on the WAN, when I'd connect to some site, commondreams.org for an actual example, I found that the firewall was letting third-party stuff through that had no permitting rule.  It was obviously piggybacking on the connection to commondreams even though I had never explicitly permitted it.  It was happening under the table.  It seemed to me that since it had a different ip address, it should have been scraped off rather than let through.

So if there's an implicit rule that allows stuff through from a totally different ip origin, I wondered whether it would also let someone come in on 3306 if they happen to stumble across it.  I found that a much less unreasonable idea than that the firewall would let in stuff from a completely different source than the one I intentionally connected to – that really bothered (and bothers) me because it looks so Trojan-Horse-y.

(Another example:  I'm voluntarily connected only to this forum right now, but netstat shows connections to facebook and google's snoopage site 1e100.net.  That's pretty disturbing since I definitely do not have rules with their names on!)

johnpoz

"It was obviously piggybacking on the connection to commondreams even though I had never explicitly permitted it."

Dude BS plain and simple.. So you do understand when you go to a website there are going to be lots of different urls to load say images, ads, scripts, etc. etc..  And your machine is going to make connections to them.. They are not making unsolicited connections to your machine.

mer

The outbound request is from your IP, ephemeral port (a.b.c.d:XYZ), to 1.2.3.4, port 80.  Stateful firewall puts it in a table showing valid connection with a.b.c.d:XYZ.  All of these "piggybacked" traffic comes with dest addr of a.b.c.d:XYZ so they match state.

As for the db app listening on 3306, basic rule is Listening sockets don't send unless it's in reponse to something.  That's pretty much basic networking, nothing magical about it.  Every db server that I've come across doesn't send anything unless it's in response to something, so unless there is a funky configuration thing where your db server starts up and sends unsolicited traffic out the WAN port, there is nothing to be concerned about.  Again, default deny in on WAN covers pretty much everything until you start adding pass rules.

johnpoz

lets say you were talking to 1.2.3.4:80 from your private machine, and pfsense created a state from its publicIP:666 to 1.2.3.4 – even if traffic hits your publicIP:666 its out of state because its not coming from 1.2.3.4.

I do believe that pfsense uses Port Restricted Cone NAT not only does the traffic have to be coming from 1.2.3.4 it also has to be coming from a source port of 80 since that is the state that was connected.

Unsolicited inbound traffic to pfsense is BLOCKED out of the box.. unless you created rules to allow such traffic or its in answer to a state created by a machine going outbound the traffic is blocked.  Does not matter what inbound ports some box inside is listening on.

Now what can get you in trouble is UPnP where boxes can open up ports, or 1:1 nat with any any sort of rules.