# Can PF Help me?



## errr (Nov 17, 2009)

I have a server with 1 NIC em0 {192.168.1.8}
This server is only connected to our LAN
This server is currently running mysql on port 3306
This server is running FreeBSD 6.0 Release and can not be updated or taken down.

We want to move mysql to a new server running at 192.168.1.10 port 3306

Is there a way to make it so if you still try to access mysql on the old server it will redirect requests to the new server? We are worried about some old scripts that have been forgotten about that may still try to use the old IP and would like to avoid them breaking when we move mysql.

I have tried with PF but have not had much luck. Here is my current pf.conf 

sql = "192.168.1.8"
int_if = "em0"
sqlp = "3306"

rdr pass log on $int_if proto { tcp, udp } from any to any port $sqlp -> $sql​In the log I get this: 

# tcpdump -n -ttt -i pflog0

9. 622870 IP 192.168.1.153.58750 > 192.168.1.8.3306:  tcp 40 [bad hdr length 0 - too short, < 20]

Any help here would be awesome


----------



## errr (Nov 17, 2009)

I just found why I was getting the above output from the tcpdump. Here is the output I get now:

# tcpdump *-s 256* -n -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 256 bytes


000000 IP 192.168.1.153.60777 > 192.168.1.8.3306: S 20858549:20858549(0) win 5840 <mss 1460,sackOK,timestamp 582872328 0,nop,wscale 7>


----------



## SirDice (Nov 17, 2009)

From pf.conf(5):


> Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.



Simple solution? Add the 'old' ip adddress as an alias on the new server. Set up some logging that keeps an eye on that ip address. Modify any scripts/hosts that use the old address. Once done, remove the old address.


----------



## errr (Nov 17, 2009)

SirDice said:
			
		

> From pf.conf(5):
> 
> 
> Simple solution? Add the 'old' ip adddress as an alias on the new server. Set up some logging that keeps an eye on that ip address. Modify any scripts/hosts that use the old address. Once done, remove the old address.


I cant do that because the old IP is still in use.. I have a lot of other things like Samba, CUPS, and many other things running on this box. We are just moving SQL off this box and on to a stand alone machine.

I did find this morning that I have 2 NICs but only 1 of them was configured, so I could configure em1 to be on the same subnet etc as em0. Would I be able to do what I am trying to do then?


----------



## DutchDaemon (Nov 17, 2009)

You can't configure two NICs in the same subnet.


----------



## DutchDaemon (Nov 17, 2009)

Does the new MySQL box have two interfaces as well? You might be able to create a bit of backdoor routing.


```
oldbox                              newbox
[192.168.1.8] --- [10.0.0.1/30] --> [10.0.0.2/30] ---[192.168.1.10]
```

Either 192.168.1.8:3306 -> redirect -> 10.0.0.2 -> redirect -> 192.168.1.10:3306

Or bind MySQL to 10.0.0.2:3306 as well as to 192.168.1.10:3306 on the new box, and redirect 192.168.1.8:3306 -> 10.0.0.2:3306.

This is just conceptual, not tested.


----------



## errr (Nov 17, 2009)

DutchDaemon said:
			
		

> You can't configure two NICs in the same subnet.



Why not?


----------



## DutchDaemon (Nov 17, 2009)

errr said:
			
		

> Why not?



Routing discrepancies and conflicts. The kernel will only use one NIC, if it works at all. There will certainly be complaints. You need non-overlapping subnet masks.


----------



## errr (Nov 17, 2009)

DutchDaemon said:
			
		

> Does the new MySQL box have two interfaces as well? You might be able to create a bit of backdoor routing.
> 
> 
> ```
> ...


Yes both boxes do have 2 NICs.
I will try doing this.


----------



## errr (Nov 18, 2009)

Well I figured this out, and still used PF, and did it with only 1 NIC.

Since MySQL runs on a non privileged I made a user on both of my servers called dbproxy.
I then used ssh keys and cron to port forward
Im using:

```
ssh -L 4040:localhost:3306  dbproxy@newserver
```
Then I use this very simple rule set on my old server in my pf.conf

```
rdr pass log  on $int_if proto { tcp, udp } from any to any port 3306 -> 127.0.0.1 port 4040
```
Now it works like a champ. 
Another way I found that would work is the mysql-proxy but this system was to old and needed to many things that we were not going to be able to change.
Thank you for you help.


----------



## DutchDaemon (Nov 18, 2009)

Creatively done!


----------

