Obmedzenie portu 3306 cez firewall PF

Frantisek Hennel frantisek.hennel at gmail.com
Sun Jun 6 12:04:41 CEST 2021


Dakujem, ano takto by sa mi to pacilo. Upravil som to v zmysle tvojho
odporucania, ale stale mi to nefunguje.

/etc/pf.conf
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
ext_if="em0" # interface connected to internet
block drop in log (all) quick on $ext_if from <blockedips> to any

table <mysqlwhite> persist file "/etc/pf.mysqlwhite.ip.conf"
block in log quick on $ext_if from ! <mysqlwhite> to any port 3306

Reloading pf rules.
/etc/pf.conf:6: port only applies to tcp/udp
/etc/pf.conf:6: skipping rule due to errors
/etc/pf.conf:6: rule expands to no valid combination

Frantisek

ne 6. 6. 2021 o 10:18 schrodinger <soumar at soudny.net> napísal(a):

> Ahoj,
>
> Ve tvym pripade bych si asi nadefinoval pole/tabulku s allowed ips/subnets
> $MYSQLALLOWED a pridal pravidlo:
>
> block in log quick on $ext_if from ! $MYSQLALLOWED to ($MYIP) port 3306
>
> Pisu z mobilu, nesedim u pc, tak si tu syntaxi odkontroluj s man pf.conf ;)
>
> Marek
>
> 6. 6. 2021 9:54, 9:54, Frantisek Hennel <frantisek.hennel at gmail.com>
> napsal/a:
> >Ahoj,
> >
> >chcel by som Vas poprosit o radu ohladne firewallu PF,
> >nakolko uz od vcera studujem manualy a podobny pripad,
> >ako sa snazim nastavit ja, som nikde nenasiel.
> >
> >Potreboval by som zablokovat pristup na mysql server (port
> >3306), aby nebol pristupny do internetu a povolit by som chcel
> >tento port iba pre konkretne IP adresy, pripadne konkretne
> >subnety. Vsetky ostatne porty chcem ponechat normalne
> >otvorene, len ten jeden port 3306 chcem takto zablokovat.
> >
> >V sucasnosti vyuzivam firewall PF len na blokovanie
> >nechcenych IP adries a moj pf.conf vyzera nasledovne:
> >
> >table <blockedips> persist file "/etc/pf.blocked.ip.conf"
> >ext_if="em0" # interface connected to internet
> >block drop in log (all) quick on $ext_if from <blockedips> to any
> >
> >Prosim o usmernenie aj v pripade, ak nie je mozne na tento
> >ucel pouzit firewall PF, aj ked urcite uprednostnujem prave
> >riesenie cez PF, kedze ho uz dlhsie pouzivam.
> >
> >Dakujem
> >
> >Frantisek
> >--
> >FreeBSD mailing list (users-l at freebsd.cz)
> >http://www.freebsd.cz/listserv/listinfo/users-l
> --
> FreeBSD mailing list (users-l at freebsd.cz)
> http://www.freebsd.cz/listserv/listinfo/users-l
>


More information about the Users-l mailing list