Block MySQL (port 3306) connects from the outside?
-
dude what part do you not understand about your machine making connections??? You think those are inbound connections to your machine?? To those random ports? You really just don't even understand basic tcp do you??
This is starting to become funny, in a kind of unfunny way. You're saying that my machine is making those connects? Spontaneously? No outside motivation?! Just the machine itself is taking the decision to connect? I hope you're not, because my machine isn't that autonomous.
What should be happening is that I call the browser's HTTP GET routine, which SYN/ACK handshakes with some site foo.org and then sends the actual page request. Foo.org provides the page I requested, and since HTTP is stateless, drops the connect and forgets about me. Any time I want another page, the browser has to go through the same process again. (I did a quick check and HTTP still appears to be a stateless protocol)
Nowhere in that process is a request directed to bar.com for a persistent connect. My browser doesn't even know bar.com exists. So who's doing it? Is foo.org saying "here's the page you wanted and oh by the way here's a SYN on behalf of bar.com so please ACK/SYN it and let bar.com set up a persistent connect"? If that's what's happening, I'd say the firewall isn't looking carefully enough at what's going on.
-
Yes dude why don't you look at the what happens when you open a browser page.. yes going to truth-out.org tells your machine to go to twitter stuff and facebook stuff. What do you not understand about this??
Depending on the site and ads you could end up with hundreds of connections.. To who knows where..
Your browser reads the code in a page, and follows it - if the code says hey open this up.. Guess what it tells your machine to open that up.. Pfsense just says hey your sending syn to this, rules allow it - there you go..
You really should look at the source of the sites you go to, or open use say web developer in browser like I posted and it shows you all the stuff it does a GET for, etc.. Or just fire up wireshark on yoru machine and watch where the syn's come from.
-
@BlueKobold:
Hmm I really tried up to follow this thread fully but I can´t! Sorry for that.
If the Maria DB is behind NAT and no ports are opened and forwarded to the Maria DB, so they cannot be connected from the outside.
That's how the whole thread got started – MariaDB is listening on 3306, and since the firewall box is the designated gateway, it's the 3306 on that box that's being listened on (actually, I hope that by having done bind-address=127.0.0.1 I've forced it to only play with the loopback, but that came later)
And by the way placing all in one LAN is the really danger here as I see it right. Please create a DMZ for the Apache Webserver to get in contact with the Internet and place the Maria DB in the LAN what should be saved.
This is a dev machine, so I don't really want Apache to talk to the inet either. It's only supposed to serve the lan, and I think I've got the permits set for that even though their documentation for the new v2.4 scheme isn't the best.
-
"MariaDB is listening on 3306, and since the firewall box is the designated gateway, it's the 3306 on that box that's being listened on"
What??? NO pfsense is not listening on 3306 because some box behind it is?? Did you forward port 3306??
-
What do you not understand about this??
I don't understand why the firewall isn't interfering with such piggybacking.
-
there is NO PIGGY BACKING!!! dude you open up a web page it tells your machine to open up other stuff! Period END of story.. What do you not understand?? Really open up that site and look at the source code, fire up wireshark and what what happens.. Where do the Syns come from.. Use something like web developer in fire fox that shows what your browser is doing where its going, what the GETS are, etc..
so you understand what an iframe is?? So for example on your truth site
<iframe src="//www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com%2FTruthout.org&send=false&layout=button_count&width=120&show_faces=false&action=like&colorscheme=light&font&height=21&appId=174773479325394" frameborder="0" scrolling="no" width="150px" height="21px" allowtransparency="true" style="border: none; overflow: hidden; width: 150px; height: 21px;"></iframe>What does that tell your browser to do? what do you think this code does
Which is loaded from platform.twitter.com – guess your browser is going to go there as well.. So the firewall will allow it because your rules do.. There is no Piggy backing..
If you have connections on your machine that you don not understand, then I suggest you investigate -- but it sure its not pfsense letting connections in via other connections.. Your box started the connection, or you forwarded the traffic in.. This is how a firewall works. If your seeing connections to stuff you do not understand then why don't you investigate that - run wireshark on your machine.. What all the connections it makes when your not doing stuff ;) You will see in my listing of netstat connections from teamviewer, connection from meraki cisco client on this machine. dropbox checks in with home all the time.. Yes pfsense allows these connections because of your rules on your lan - which out of the box is any any!
-
That's how the whole thread got started – MariaDB is listening on 3306, and since the firewall box is the designated gateway, it's the 3306 on that box that's being listened on
This is rubbish! Sorry but if I have a server or a program that is listening on one or more
ports, but it is behind a lazy consumer router doing SPI/NAT, there is no was from the outside
to connect to that program or such a server! Point.So if I will get your IP address, I can not do anything with it if all ports on your firewall or router are closed
an they will be doing SPI/NAT. Only if I am opening at the WAN Interface (WAN Port) ports and forward them
to the internal private IP address of the Maria DB host it will work that the Maria DB is able to connect from
the outside. -
I need to suspend this conversation awhile. I'll be back.
-
I'll be back.
No need really for this conversation to continue. Negative net value in this thread.
-
Yeah do a little reading on how tcp works and what a stateful firewall is and how web pages work ;)
