# allow mysql on internal interface - PF



## tomsdongle (Jul 9, 2014)

Hi everyone,

It would seem that I can't connect to my external MySQL server (it*'*s on the same private network as my FreeBSD instance).

Here is my pf.conf:


```
ext_if="xn0"
int_if="xn1"

webports = "{http, https}"
int_tcp_services = "{domain, ntp, www, https, 3306}"
int_udp_services = "{domain, ntp, 3306}"

set skip on lo
set loginterface $ext_if

# Normalization
scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if

# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>

# ftp-proxy needs to have an anchor
anchor "ftp-proxy/*"

# SSH is listening on port 26
pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

pass in quick proto tcp to $int_if port 3306 keep state


# Webserver
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
```

Any ideas welcome, interestingly it*'*s not appearing in my pflog at all


----------



## SirDice (Jul 9, 2014)

What's the error message when you try to log in with MySQL?


----------



## tomsdongle (Jul 9, 2014)

IF I disable the firewall - I log in fine

When I enable the firewall I get:


```
#2002 Cannot log in to the MySQL server
```


----------



## SirDice (Jul 9, 2014)

Try using this:

```
pass in quick proto tcp to ($int_if) port 3306 keep state
```


----------



## tomsdongle (Jul 9, 2014)

Thank you @SirDice, that didn't work. However this did:


```
ext_if="xn0"
int_if="xn1"

webports = "{http, https}"
ext_tcp_services = "{domain, ntp, www, https}"
ext_udp_services = "{domain, ntp}"

#new lines here
int_tcp_services = "{ 3306 }"
int_udp_services = "{ 3306 }"

set skip on lo
set loginterface $ext_if

# Normalization
scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if

# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>

# ftp-proxy needs to have an anchor
anchor "ftp-proxy/*"


pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)



# Webserver
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $ext_tcp_services
pass out quick on $ext_if proto udp to any port $ext_udp_services

#new lines here
pass out quick on $int_if proto tcp to any port $int_tcp_services
pass out quick on $int_if proto tcp to any port $int_udp_services
```


----------



## junovitch@ (Jul 14, 2014)

It seems very common to see restrictive inbound rules and a generic "pass out" rule to trust anything leaving.  Since you are not doing that, you'll have to remember that anything new network related will need some kind of rule to allow it to leave initially and let stateful tracking will take care of allowing the replies.


----------



## tomsdongle (Jul 14, 2014)

junovitch said:
			
		

> It seems very common to see restrictive inbound rules and a generic "pass out" rule to trust anything leaving.  Since you are not doing that, you'll have to remember that anything new network related will need some kind of rule to allow it to leave initially and let stateful tracking will take care of allowing the replies.



Thanks for the heads up, appreciate it.


----------

