# How to Block all ports except ssh and 2 others



## Gio01 (Jul 13, 2012)

Boys do not understand how to lock all the ports to the outside except a few. Type the ssh and mysql.

They can still access my mysql database and do not know what to do.
There are exploits for MariaDB / MySQL that allows root access without knowing password.
How can I stop this by firewall?
Thank you for your help.


----------



## Ricky (Jul 13, 2012)

All you have to do is add your ip adress 

```
pass out on dc0 from [I]youripadresss[/I] to any port = 22
```

I'm not sure how IPF behaves because I'm more familiar with IPFW but you can try this http://www.freebsd.org/doc/handbook/firewalls-ipf.html


----------



## Gio01 (Jul 14, 2012)

What recommendations for firewall? Best ipfw?


----------



## wblock@ (Jul 14, 2012)

Firewalling a compromised machine is not going to help.  For all you know, they have you doing stuff inside a chroot(8).  Back up, reinstall, check everything that is put on the new machine to make sure you are not copying compromised stuff.  Update exploitable software to the latest version.  Change configs, apply patches, do all the normal stuff to secure it.

pf(4) (pf.conf(5)) has become popular for power and ease of use.  In terms of speed, I think that ipfw(8) is still the fastest.  For most people, firewall speed is not an issue.


----------



## Gio01 (Jul 15, 2012)

Ok just finished installing everything.
The mysql is still vulnerable.
But I can not do that:
blocks all traffic outside of the port 3306, except on specific ip?


----------



## wblock@ (Jul 15, 2012)

Is there no patch/fix/workaround for the vulnerability?

Limiting the IP addresses that can get to it is better than nothing.


----------



## Gio01 (Jul 15, 2012)

In short, there is an exploit discovered recently that runs on blackhat,
gives you started dumping the password and it makes you connect bypassing the login mysql even if you've blocked ip.


----------



## kpa (Jul 15, 2012)

Do you have to expose the MySQL port to the whole wide world? What type of clients connect to your database, are they all from known IP addresses?


----------



## Gio01 (Jul 15, 2012)

Yes i have opened the port mysql to all.
But I stuck with dial-ip unknown.
In a few words must operate only between my site and server.


----------



## J65nko (Jul 15, 2012)

RE: mysql

In many cases it it not needed have mysqld LISTENing on port 3306 on the public IP address at all. You can use the *skip-networking* option in the mysql configuratation file to disable this.
See http://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_skip-networking


----------



## SirDice (Jul 16, 2012)

This bug was fixed.
http://bugs.mysql.com/bug.php?id=64884


----------



## Gio01 (Jul 17, 2012)

SirDice said:
			
		

> This bug was fixed.
> http://bugs.mysql.com/bug.php?id=64884



I need to update my ports true?


----------



## SirDice (Jul 17, 2012)

You should have done that already as the fix has been out for a while.


----------

