Mysql

apache / mysql 無法使用 PF 防火牆連接監獄

  • August 13, 2015

我在 FreeBSD11 上設置了兩個監獄環境

root@ns312773:/etc # jls
  JID  IP Address      Hostname                      Path
    1  10.6.6.6        www                           /usr/jails/www
    2  10.6.6.7        dbs                           /usr/jails/dbs

這就是我的 /etc/pf.conf 中的內容

### Interfaces ###
ExtIf ="igb0"
IntIf ="lo666"

### Hosts ###
IP_WEB ="192.168.0.1"
IP_JAIL = "{10.6.6.6, 10.6.6.7, 10.6.6.8, 10.6.6.9}"
IP_JAIL_WWW = "10.6.6.6"
IP_JAIL_DBS = "10.6.6.7"
IP_JAIL_APP = "10.6.6.8"
NET_JAIL="10.6.6.0/24"

### Ports ###
PORT_WWW="{80,443}"
PORT_MYSQL="{3306}"

# WWW
rdr pass on $ExtIf proto tcp from any to $IP_WEB port $PORT_WWW -> $IP_JAIL_WWW
# MYSQL
rdr pass on $ExtIf proto tcp from any to $IP_JAIL_WWW port $PORT_MYSQL -> $IP_JAIL_DBS

當我試圖檢查埠是否從$IP_JAIL_WWW

# ezjail-admin console www
Last login: Thu Aug 13 13:30:14 on pts/0
FreeBSD 11.0-CURRENT (GENERIC) #0 r286285: Tue Aug  4 15:12:53 UTC 2015

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@www:~ # telnet 10.6.6.7 3306
Trying 10.6.6.7...
Connected to 10.6.6.7.
Escape character is '^]'.
AHost '10.6.6.6' is not allowed to connect to this MySQL serverConnection closed by foreign host.
root@www:~ #

據我所知,rdr pass on $ExtIf proto tcp from any to $IP_JAIL_WWW port $PORT_MYSQL -> $IP_JAIL_DBS應該通過兩個監獄之間的交通,任何建議都非常感謝。

我明白了,我必須創建一個 MySQL 使用者才能連接

mysql> use mysql;
mysql> CREATE USER 'web'@'10.6.6.6' IDENTIFIED BY 'password';
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON *.* TO 'web'@'10.6.6.6';
mysql> FLUSH PRIVILEGES;

然後從網路監獄:

# ezjail-admin console www
root@www:~ # vi /usr/local/www/apache24/data/mysql.php

<?php
$servername = "10.6.6.7";
$username = "web";
$password = "password";

// Create connection
$conn = new mysqli($servername, $username, $password);

// Check connection
if ($conn->connect_error) {
   die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
?>

然後去http://192.168.0.1/mysql.php你應該得到Connected successfully

引用自:https://serverfault.com/questions/713938