Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Firewall will not permit local machines to access SQL server in DMZ

I have an Alcatel 'frog' USB ADSL modem running off a SuSE linux box
configured as a firewall. This machine has 2 network cards. One card is
connected directly to a second linux box using a crossover cable, this
section being designated as the DMZ. The second linux box runs Apache
and MySQL. The other card is connected to an 8 way hub permitting my
household network to access the world via the firewall. The gateway
(firewall) machine additionally runs Squid http proxy but all the
internal user machines are in fact masqueraded onto the Internet. The
web server is reverse masqueraded onto the internet, this permits the
redirection of incoming http requests (since my ISP blocks port 80) from
the port to which they are directed by my dynamic IP address service.

Both the linux boxes run without monitors and I administer them remotely
using Putty and ssh from one of my user machines. All the user machines
run Win XP and communicate with each other using their native
peer-to-peer facilities, there being no domain, although Bind is running
on the gateway to provide local DNS resolution. When my current contract
expires I will move to another provider and obtain a static IP address,
at which point I will introduce a domain server.

You may wonder why I need all this stuff in my home. So do I. All I can
say is: insanity is hereditary, you get it from your kids.

I need to access the SQL server from one of my user machines using
Microsoft Access, but I cannot figure out how to persuade SuSEfirewall2
to permit this. I know I have a problem with MySQL as the connection
still fails when the firewall is turned off, but I can tell from the
error logging that communication is not passing the firewall when it is
turned on. I can probably figure out the MySQL problem once I can
communicate with the machine, but obviously I don't want to leave the
firewall turned off. MySQL uses a port in the 3000 range, and I have
turned on the 'allow high ports' option in the firewall, but this makes
no difference.

Can anybody help? Any other comments on the arrangement and security of
my system would be appreciated.


< Previous Next >
Follow Ups