First time playing with Jails.
I essentially want to limit the mysql to only accept connections from within the jail (and if I can get this to work, then extend to allow only connections from my webserver jail).
I have tried setting
Unsure how to proceed. I am still able to access from the host:
(Yes, I have restarted the mysql service after editing my.cnf).
Relevant configuration (let me know what else is required).
/etc/rc.conf:
/usr/jail/db/etc/rc.conf:
/etc/pf.conf:
/etc/jail.conf:
/usr/jail/db/usr/local/etc/mysql/my.cnf:
I essentially want to limit the mysql to only accept connections from within the jail (and if I can get this to work, then extend to allow only connections from my webserver jail).
I have tried setting
bind-address
to both 127.0.0.1 & 192.168.0.3
. To my knowledge there is nothing traditional about the mysql configuration that is stopping this. It is a fresh install. Can post my install steps if that is required.Unsure how to proceed. I am still able to access from the host:
Code:
(host)$ mysql -u root -h 192.168.0.3 -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
(Yes, I have restarted the mysql service after editing my.cnf).
Relevant configuration (let me know what else is required).
/etc/rc.conf:
Code:
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
hostname="REDACTED"
fstabcheckdisks_enable="YES"
ifconfig_vmx0="inet REDACTED IP netmask 255.255.255.0"
defaultrouter="REDACTED IP"
ifconfig_vmx1_alias0="inet 172.16.0.1 netmask 255.255.255.0"
jail_enable="YES"
jail_list="db www"
jail_reverse_stop="YES"
# jails shenanigans
cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-3/29"
pf_enable="YES"
clear_tmp_enable="YES"
clear_tmp_X="YES"
/usr/jail/db/etc/rc.conf:
Code:
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
mysql_enable="YES"
/etc/pf.conf:
Code:
# Public IP Address
PUB_IP = "REDACTED"
PUB_IN = "vmx0"
# Packet normalization
scrub in all
# Allow outbound connections from within the jails
nat on vmx0 from lo1:network to any -> (vmx0)
# www jail at 192.168.0.2
rdr on $PUB_IN proto tcp from any to $PUB_IP port 80 -> 192.168.0.2
rdr on $PUB_IN proto tcp from any to $PUB_IP port 443 -> 192.168.0.2
# mysql jail at 192.168.0.3
#rdr on $PUB_IN proto tcp from any to $PUB_IP port 3306 -> 192.168.0.3
/etc/jail.conf:
Code:
$j = "/usr/jail";
path = "$j/${name}";
## Default configuration
mount.devfs; # for access to devfs
host.hostname = "${name}.jail"; # expands to `www.jail`
exec.clean;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
db
{
ip4.addr = 192.168.0.2;
}
www
{
ip4.addr = 192.168.0.3;
}
/usr/jail/db/usr/local/etc/mysql/my.cnf:
Code:
[client-server]
bind-address = 192.168.0.3