IPFW, NAT, jailed MySQL connection problem.
Hi, I seem to have stumbled upon a tiny problem that just will not go away. I was hoping there would be an answer somewhere before I put my deep-into-the-dirt-boots on. The software setup of the problem: FreeBSD 5.4 Release ipfw natd named jail Mysql 4.1 Server Mysql 4.1 client Hardware 1 external NIC (192.168.101.12) 1 internal NIC (192.168.1.1) 1 internal NIC (192.168.2.1) The host system pretty much only serves as NAT and nameserver. I have one jail setup with mysqld running. The problem occurs when I try to connect to the mysql server with the flag -h. I get the error that my user is not authorized to connect from ip 192.168.101.12 (external NIC). However, this is inside the jail so it should not need to be NAT'd traffic at all. This is some info from inside the jail: ---8- # ifconfig rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::210:a7ff:fe0a:9119%rl0 prefixlen 64 scopeid 0x1 inet 192.168.1.3 netmask 0xff00 broadcast 192.168.1.255 ether 00:10:a7:0a:91:19 media: Ethernet autoselect (none) status: no carrier xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=9RXCSUM,VLAN_MTU inet6 fe80::201:2ff:feae:6d1d%xl0 prefixlen 64 scopeid 0x2 ether 00:01:02:ae:6d:1d media: Ethernet autoselect (100baseTX full-duplex ) status: active rl1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU ether 00:50:bf:34:24:b3 media: Ethernet autoselect (10baseT/UTP) status: no carrier plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 # nslookup 192.168.1.3 Server: 192.168.1.1 Address:192.168.1.1#53 3.1.168.192.in-addr.arpaname = db.folkvett.se. # nslookup db.folkvett.se Server: 192.168.1.1 Address:192.168.1.1#53 Name: db.folkvett.se Address: 192.168.1.3 # traceroute db.folkvett.se traceroute to db (192.168.1.3), 64 hops max, 40 byte packets 1 db (192.168.1.3) 0.882 ms 0.744 ms 0.597 ms # traceroute 192.168.1.3 traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 40 byte packets 1 db (192.168.1.3) 0.847 ms 0.908 ms 0.604 ms # mysql -u root -h db.folkvett.se -p Enter password: ERROR 1130 (0): #HY000Host '192.168.101.12' is not allowed to connect to this MySQL server # mysql -u root -h 192.168.1.3 -p Enter password: ERROR 1130 (0): #HY000Host '192.168.101.12' is not allowed to connect to this MySQL server # mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 to server version: 4.1.12-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql select user, host from mysql.user where mysql.user.user='root'; +--++ | user | host | +--++ | root | 192.168.1.3| | root | db.folkvett.se | | root | localhost | +--++ 3 rows in set (0.01 sec) mysql ---8- As you can see from the above, I have no trouble resolving the correct IP or even connect to the database, however it seem that the database then all of the sudden believe that I come from the external IP of the HOST enviroment, not the jail. I shouldnt have access to 192.168.101.12 from the jail. Which means I somehow strangely get NAT'd, even though i try to connect to my local IP. The 192.168.1.3 ip is an alias on the rl0 interface. In the host it looks like this: ---8- ifconfig rl0 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::210:a7ff:fe0a:9119%rl0 prefixlen 64 scopeid 0x1 inet 192.168.1.3 netmask 0xff00 broadcast 192.168.1.255 inet 192.168.1.4 netmask 0xff00 broadcast 192.168.1.255 ether 00:10:a7:0a:91:19 media: Ethernet autoselect (none) status: no carrier ---8- Happy for any answers you may come up with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MYSQL connection problem
Hello Everyone; I have two machines: 1) Free 4.10 / mysql (5.0.0) listening on port 5006 2) Free 5.3 Release / mysql (5.0.0) listening on port 5007 On both, no firewalls, blocks or anything of that sort. Both machines have the same configuration. Both mysql were compiled from the ports with the same options. The only difference between the two machines is the Free version and port mysql is listening on. Here are the outputs of the following commands on machine 1): telnet localhost 5006 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 9 5.0.0-alpha}l'zRjBG,!js%Zxl6fp3 (after a few seconds...) Connection closed by foreign host. - mysql -u root -P 5006 -h 127.0.0.1 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 to server version: 5.0.0-alpha Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql ** Now, here are the outputs of the same commands on machine 2): ]telnet localhost 5007 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. (no wait for this line to show!) mysql -u root -P 5007 -h 127.0.0.1 -p Enter password: ERROR 2013 (HY000): Lost connection to MySQL server during query (no wait for the above line to show either!) ** I can only connect on machine 2) if I use a mysql.sock file. Any attempt to connect via TCP/IP doesn´t work !! command line client, java connectors (all possible versions) none work. I´ve been into every single link google returned to me on the ERROR 2013 above for 2 days now and none of them had any info to get this working. Believe me, I tried every hint of suggestion there was. I really hope someone here has any clues to what is going on. I´ve posted this to hackers but no clues so far. thanks, -- //| //|| // | // || -//--//---|| ARIO LOBO // //|| - [EMAIL PROTECTED] http://www.ipad.com.br ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
MYSQL connection problem (added info)
Adding the tcpdump output after changing mysqld to port 5004 (just a try :(( ) and issuing: [~]mysql --port=5004 --host=127.0.0.1 --user=xxx database -p [~]tcpdump -vv -i lo0 port 5004 tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes 08:57:04.755597 IP (tos 0x0, ttl 64, id 5384, offset 0, flags [DF], length: 64) localhost.58972 localhost.5004: S [tcp sum ok] 1832068379:1832068379(0) win 65535 mss 16344,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 77449669 0 08:57:04.755654 IP (tos 0x0, ttl 64, id 5385, offset 0, flags [DF], length: 64) localhost.5004 localhost.58972: S [tcp sum ok] 87927240:87927240(0) ack 1832068380 win 65535 mss 16344,nop,wscale 1,nop,nop,timestamp 77449669 77449669,nop,nop,sackOK 08:57:04.755685 IP (tos 0x0, ttl 64, id 5386, offset 0, flags [DF], length: 52) localhost.58972 localhost.5004: . [tcp sum ok] 1:1(0) ack 1 win 35840 nop,nop,timestamp 77449669 77449669 08:57:04.756399 IP (tos 0x0, ttl 64, id 5387, offset 0, flags [DF], length: 52) localhost.5004 localhost.58972: F [tcp sum ok] 1:1(0) ack 1 win 35840 nop,nop,timestamp 77449670 77449669 08:57:04.760855 IP (tos 0x8, ttl 64, id 5388, offset 0, flags [DF], length: 52) localhost.58972 localhost.5004: . [tcp sum ok] 1:1(0) ack 2 win 35840 nop,nop,timestamp 77449674 77449670 08:57:04.761035 IP (tos 0x8, ttl 64, id 5389, offset 0, flags [DF], length: 52) localhost.58972 localhost.5004: F [tcp sum ok] 1:1(0) ack 2 win 35840 nop,nop,timestamp 77449674 77449670 08:57:04.761067 IP (tos 0x0, ttl 64, id 5390, offset 0, flags [DF], length: 52) localhost.5004 localhost.58972: . [tcp sum ok] 2:2(0) ack 2 win 35839 nop,nop,timestamp 77449674 77449674 7 packets captured 7 packets received by filter 0 packets dropped by kernel I hope this helps, -- //| //|| // | // || -//--//---|| ARIO LOBO // //|| - [EMAIL PROTECTED] http://www.ipad.com.br -- First post /* === I have two machines: 1) Free 4.10 / mysql (5.0.0) listening on port 5006 2) Free 5.3 Release / mysql (5.0.0) listening on port 5007 On both, no firewalls, blocks or anything of that sort. Both machines have the same configuration. Both mysql were compiled from the ports with the same options. The only difference between the two machines is the Free version and port mysql is listening on. Here are the outputs of the following commands on machine 1): telnet localhost 5006 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 9 5.0.0-alpha}l'zRjBG,!js%Zxl6fp3 (after a few seconds...) Connection closed by foreign host. - mysql -u root -P 5006 -h 127.0.0.1 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 to server version: 5.0.0-alpha Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql ** Now, here are the outputs of the same commands on machine 2): ]telnet localhost 5007 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. (no wait for this line to show!) mysql -u root -P 5007 -h 127.0.0.1 -p Enter password: ERROR 2013 (HY000): Lost connection to MySQL server during query (no wait for the above line to show either!) ** I can only connect on machine 2) if I use a mysql.sock file. Any attempt to connect via TCP/IP doesn´t work !! command line client, java connectors (all possible versions) none work. I´ve been into every single link google returned to me on the ERROR 2013 above for 2 days now and none of them had any info to get this working. Believe me, I tried every hint of suggestion there was. I really hope someone here has any clues to what is going on. I´ve posted this to hackers but no clues so far. thanks, -- //| //|| // | // || -//--//---|| ARIO LOBO // //|| - [EMAIL PROTECTED] http://www.ipad.com.br ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: MYSQL connection problem (added info)
On Wed, 1 December, 2004 12:16, [EMAIL PROTECTED] said: Adding the tcpdump output after changing mysqld to port 5004 (just a try :(( ) and issuing: [~]mysql --port=5004 --host=127.0.0.1 --user=xxx database -p [~]tcpdump -vv -i lo0 port 5004 tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes 08:57:04.755597 IP (tos 0x0, ttl 64, id 5384, offset 0, flags [DF], length: 64) localhost.58972 localhost.5004: S [tcp sum ok] 1832068379:1832068379(0) win 65535 mss 16344,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 77449669 0 08:57:04.755654 IP (tos 0x0, ttl 64, id 5385, offset 0, flags [DF], length: 64) localhost.5004 localhost.58972: S [tcp sum ok] 87927240:87927240(0) ack 1832068380 win 65535 mss 16344,nop,wscale 1,nop,nop,timestamp 77449669 77449669,nop,nop,sackOK 08:57:04.755685 IP (tos 0x0, ttl 64, id 5386, offset 0, flags [DF], length: 52) localhost.58972 localhost.5004: . [tcp sum ok] 1:1(0) ack 1 win 35840 nop,nop,timestamp 77449669 77449669 08:57:04.756399 IP (tos 0x0, ttl 64, id 5387, offset 0, flags [DF], length: 52) localhost.5004 localhost.58972: F [tcp sum ok] 1:1(0) ack 1 win 35840 nop,nop,timestamp 77449670 77449669 08:57:04.760855 IP (tos 0x8, ttl 64, id 5388, offset 0, flags [DF], length: 52) localhost.58972 localhost.5004: . [tcp sum ok] 1:1(0) ack 2 win 35840 nop,nop,timestamp 77449674 77449670 08:57:04.761035 IP (tos 0x8, ttl 64, id 5389, offset 0, flags [DF], length: 52) localhost.58972 localhost.5004: F [tcp sum ok] 1:1(0) ack 2 win 35840 nop,nop,timestamp 77449674 77449670 08:57:04.761067 IP (tos 0x0, ttl 64, id 5390, offset 0, flags [DF], length: 52) localhost.5004 localhost.58972: . [tcp sum ok] 2:2(0) ack 2 win 35839 nop,nop,timestamp 77449674 77449674 7 packets captured 7 packets received by filter 0 packets dropped by kernel I hope this helps, -- //| //|| // | // || -//--//---|| ARIO LOBO // //|| - [EMAIL PROTECTED] http://www.ipad.com.br -- First post /* =I have two machines: 1) Free 4.10 / mysql (5.0.0) listening on port 5006 2) Free 5.3 Release / mysql (5.0.0) listening on port 5007 On both, no firewalls, blocks or anything of that sort. Both machines have the same configuration. Both mysql were compiled from the ports with the same options. The only difference between the two machines is the Free version and port mysql is listening on. Here are the outputs of the following commands on machine 1): telnet localhost 5006 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 9 5.0.0-alpha}l'zRjBG,!js%Zxl6fp3 (after a few seconds...) Connection closed by foreign host. - mysql -u root -P 5006 -h 127.0.0.1 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 8 to server version: 5.0.0-alpha Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql ** Now, here are the outputs of the same commands on machine 2): ]telnet localhost 5007 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. (no wait for this line to show!) mysql -u root -P 5007 -h 127.0.0.1 -p Enter password: ERROR 2013 (HY000): Lost connection to MySQL server during query (no wait for the above line to show either!) ** I can only connect on machine 2) if I use a mysql.sock file. Any attempt to connect via TCP/IP doesn´t work !! command line client, java connectors (all possible versions) none work. I´ve been into every single link google returned to me on the ERROR 2013 above for 2 days now and none of them had any info to get this working. Believe me, I tried every hint of suggestion there was. I really hope someone here has any clues to what is going on. I´ve posted this to hackers but no clues so far. I may (and probably am!) be way off on this but could you post the contents of /etc/hosts and /etc/resolv.conf for both machines please. Cheers, David ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: MYSQL connection problem
On Wed, Dec 01, 2004 at 08:23:51AM -0300, [EMAIL PROTECTED] wrote: Hello Everyone; I have two machines: 1) Free 4.10 / mysql (5.0.0) listening on port 5006 2) Free 5.3 Release / mysql (5.0.0) listening on port 5007 On both, no firewalls, blocks or anything of that sort. Both machines have the same configuration. Both mysql were compiled from the ports with the same options. The only difference between the two machines is the Free version and port mysql is listening on. [---snip---] I can only connect on machine 2) if I use a mysql.sock file. Any attempt to connect via TCP/IP doesn?t work !! command line client, java connectors (all possible versions) none work. I?ve been into every single link google returned to me on the ERROR 2013 above for 2 days now and none of them had any info to get this working. Believe me, I tried every hint of suggestion there was. I had similar problems recently. Edit the port's Makefile, removing the line: --with-libwrap \ and rebuild the port. This worked for me - but there is probably a better way to deal with it. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpBBSrDpkmNi.pgp Description: PGP signature
Re: MYSQL connection problem (SOLVED)
On Wed, Dec 01, 2004 at 10:40:14AM -0300, [EMAIL PROTECTED] wrote: YSS !!! IT WORKED !! Thanks a million Daniel. What exactly does with-liwrap do? It causes the MySQL package to be linked against the libwrap library - which is used for host access control through the /etc/hosts.allow mechanism. For this reason, now you have MySQL built without it, you should use some other means of controlling where connections are allowed from. Check out hosts_access in section 3 of the manual for more details. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3B9D 8BBB EB03 BA83 5DB4 3B88 86FC F03A 90A1 BE8F _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpue9QFd7nmA.pgp Description: PGP signature