Solved Confusion in understanding pf rules

fred974

fred974

Hello all,

I am trying to set up a new system on a new VM.
I have 1 FreeBSD 10.1 host that has 4 www/hiawatha webserver and 1 databases/mariadb100-server server

Web 1 - Hiawatha reverse proxy - 10.8.20.10
Web2 - myfirstdomain.com - 10.8.20.20
Web3 - myseconddomain.co.uk - 10.8.20.30
Web4 - mythirddomain.org - 10.8.20.50
mariaDB - 10.8.20.12

my /etc/pf.conf file is as follow:
Code: 
ext_if="xn0"
jail_if="lo1"

IP_PUB="218.95.4.6"
IP_JAIL_WWW_PROXY="10.8.20.10"
IP_JAIL_DB="10.8.20.12"

NET_JAIL="10.8.20.0/24"

PORT_WWW="{80,443}"
PORT_DB="1696"

scrub in all

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# WWW
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW_PROXY

# DB
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_DB -> $IP_JAIL_DB

# demo only, passing all traffic
pass out
pass in

In the past I always had to set the port of the database for any new Wordpress installation as
define('DB_HOST', '10.8.20.12:1696'); but since I started using this new /etc/pf.conf file I had to remove the port number :1969.... And I DON'T UNDERSTAND WHY

My previous /etc/pf.conf file look like this
Code: 
### Interfaces ###
ext_if="lagg0"

IP_FREEBSD_HOST="192.168.1.185"
IP_WEBJAIL="192.168.1.125"
IP_DBJAIL="192.168.1.130"
IP_MAILJAIL="192.168.1.145"

HOSTS= "{" $IP_FREEBSD_HOST $IP_WEBJAIL $IP_DBJAIL $IP_MAILJAIL "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{1913,1914,1915,1514,1194,22,2205}"
#PORT_ZABBIX="{10059}"

### Tables ###
table <workssh> {197.164.1.1/24,233.176.150.254}
table <sshguard> persist
table <ossec_fwtable> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# NAT rules
nat-anchor "openvpn"
# RDR rules
rdr-anchor "openvpn"

# [translation]

# [filtering]
pass out all
block in all
anchor "openvpn"

# block all IPs from  sshguard-pf and ossec_fwtable blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any
block in log on $ext_if from <ossec_fwtable>

# Allow ssh traffic from authorise hosts and set Stateful Tracking Options (STO)
pass log on $ext_if inet proto tcp from <workssh> to $HOSTS port $PORT_SSH \
    flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 15/5, \
             overload <sshguard> flush global)

# Allow HTTP and HTTPS traffic
pass in quick proto tcp from any to $IP_WEBJAIL port $PORT_WEB
Now using this configuration if I don't specify the port number no connection is made
 
fred974 said:
Code: 
# DB
rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_DB -> $IP_JAIL_DB
Click to expand...
I strongly recommend removing this line. You really don't want to expose your MySQL/MariaDB port to the outside world. There's no access log and there's nothing stopping anyone from brute-forcing their way in. And because there's no access logging you will never know this is happening. The websites don't need it because they're connecting to the 'inside' address.

As for the port, are you sure MariaDB is running on port 1696? The default port is 3306.
 
SirDice said:
As for the port, are you sure MariaDB is running on port 1696? The default port is 3306.
Click to expand...
Yes am I. Here is the relevant part of /local/my.cnf file
Code: 
[...]
[mysql]

#### CLIENT ####
socket                         = /tmp/mysql.sock                      # The mysql.sock is the socket that mysqld creates for programs to connect to.
port                           = 1696                                 # port on which MySQL listens to (default is 3306)

[mysqld]

#### GENERAL ####
user                           = mysql
bind-address                   = 10.8.20.12
default-storage-engine         = InnoDB                               #default storage engine
pid-file                       = /var/db/mysql/holy.mybusiness.ltd.pid # where the process id (pid) assigned by the server is recorded
[...]
As far as PF is concerned was my old config rule better?
Should I go back to it? Could you give an example of "access logging"
 
fred974 said:
Yes am I. Here is the relevant part of /local/my.cnf file
Click to expand...
Yes, that looks good. Check with sockstat -4 to see if it's actually running on that port.

As far as pf is concerned was my old config rule better?
Should I go back to it? Could you give an example of "access logging"
Click to expand...
I don't think it matters much, both look fine. Just don't allow access to your MySQL/MariaDB from the internet, that's going to hurt you sooner or later.
 
SirDice ,
You are right...
root@holy:/ # sockstat -4 return
Code: 
USER  COMMAND  PID  FD PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
root  sshd  19517 3  tcp4  10.8.20.12:22  *:*
mysql  mysqld  9076  22 tcp4  10.8.20.12:3306  *:*
I restarted the service with /usr/local/etc/rc.d/mysql-server stop and /usr/local/etc/rc.d/mysql-server start but it is still showing port 3306 as the one in use.....

I am puzzled as to from where it is using this port.

I have removed all the DB entry from the PF file and so far so good :).
 
I assumed it was a typo but did you really use /local/my.cnf? The file should be /usr/local/etc/my.cnf. And you probably also have to add
Code: 
mysql_optfile="/usr/local/etc/my.cnf"
to /etc/rc.conf.
 
SirDice,
/usr/local/etc/my.cnf is the correct location of my file. I managed to identify the issue. :) I put the port number inside the [mysql] block instead of the [mysqld] block.

sockstat -4 now return port 1696 is in use
 
You must log in or register to reply here.
Back
Top