Obmedzenie portu 3306 cez firewall PF

Frantisek Hennel frantisek.hennel at gmail.com
Sun Jun 6 12:10:07 CEST 2021

Previous message (by thread): Obmedzenie portu 3306 cez firewall PF
Next message (by thread): Obmedzenie portu 3306 cez firewall PF
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dakujem, ale ani toto mi nefunguje :-(. Rozsiril som svoje pravidla o tie
tvoje a toto je vysledok.
pf.conf
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
ext_if="em0" # interface connected to internet
block drop in log (all) quick on $ext_if from <blockedips> to any

table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
pass in quick on $ext_if from <mwhite> to any port 3306
block return in log (all) quick on $ext_if from any to any port 3306

Reloading pf rules.
/etc/pf.conf:6: port only applies to tcp/udp
/etc/pf.conf:6: skipping rule due to errors
/etc/pf.conf:6: rule expands to no valid combination
/etc/pf.conf:7: port only applies to tcp/udp
/etc/pf.conf:7: skipping rule due to errors
/etc/pf.conf:7: rule expands to no valid combination

Frantisek

ne 6. 6. 2021 o 10:27 Dan Lukes <dan at obluda.cz> napísal(a):

> Frantisek Hennel wrote on 06.06.2021 9:53:
> > Potreboval by som zablokovat pristup na mysql server (port
> > 3306), aby nebol pristupny do internetu a povolit by som chcel
> > tento port iba pre konkretne IP adresy, pripadne konkretne
> > subnety.
>
> > table <blockedips> persist file "/etc/pf.blocked.ip.conf"
> > ext_if="em0" # interface connected to internet
> > block drop in log (all) quick on $ext_if from <blockedips> to any
>
> Ja PF moc nepouzivam, muj favorit je IPFW, al eneni duvod, proc by na
> tohle PF neslo pouzit.
>
> Ale logika v tech tvych pravidlech se mi zda byt prevracena oproti tomu,
> co jsi popsal slovne.
>
> Slovne jsi popsal, ze chces zablokovat vsechno krome vyjmenovanych
> adres/adresnich rozsahu. V pravidlech ale vyjmenovane adresy blokujes,
> nikoliv povolujes. Navic v pravidle nezminujes nijak port, takze
> blokujes vsechny a jeste filtrovani vazes vyhradne na vnejsi interface,
> takze pripadna spojeni richazejici pres jine interface zustavaji
> povolena (coz muze a nemusi byt to co chces).
>
> Takze bych to videl spis na
>
> table <mwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
> ext_if="em0" # interface connected to internet
> pass in quick on $ext_if from <mwhite> to any port 3306
> block return in log (all) quick on $ext_if from any to any port 3306
>
> Jak jsme ale rikal, PF nepouzivam, mozna to tedy jde i nejak jeste
> efektivneji. On me pripadne nekdo opravi. Zachoval jsme navazani na
> vnejsi interface $ext_if, pokud to neni to co chces tak to tam proste
> nedavej.
>
> Dan
>
> --
> FreeBSD mailing list (users-l at freebsd.cz)
> http://www.freebsd.cz/listserv/listinfo/users-l
>

Previous message (by thread): Obmedzenie portu 3306 cez firewall PF
Next message (by thread): Obmedzenie portu 3306 cez firewall PF
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list