From owner-freebsd-questions@FreeBSD.ORG Tue Jun 14 07:52:11 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0485B16A41C for ; Tue, 14 Jun 2005 07:52:11 +0000 (GMT) (envelope-from zorakster@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id A26E943D49 for ; Tue, 14 Jun 2005 07:52:08 +0000 (GMT) (envelope-from zorakster@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so1288151wra for ; Tue, 14 Jun 2005 00:52:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=tFhM5gP8xpWCalfkWadE6x+WYlIpsGxtta+l27kU7vbge/1n3uEfNqU4tiY8QebFeZeyNcl5z2Dj1lX/9dC8uuxMJOcJjkNJ0AxVn2cXOvZv3Yugfdw9coGuPa/sIGHCEBGL9+S4B7OKvK1Bs2IS5FJkc12chD13Jeu2/i+70Y4= Received: by 10.54.52.55 with SMTP id z55mr247151wrz; Tue, 14 Jun 2005 00:52:07 -0700 (PDT) Received: by 10.54.142.11 with HTTP; Tue, 14 Jun 2005 00:52:07 -0700 (PDT) Message-ID: Date: Tue, 14 Jun 2005 09:52:07 +0200 From: Daniel Nystrom To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: IPFW, NAT, jailed MySQL connection problem. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Nystrom List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2005 07:52:11 -0000 Hi, I seem to have stumbled upon a tiny problem that just will not go away. I was hoping there would be an answer somewhere before I put my deep-into-the-dirt-boots on. The software setup of the problem: FreeBSD 5.4 Release ipfw natd named jail Mysql 4.1 Server Mysql 4.1 client Hardware 1 external NIC (192.168.101.12) 1 internal NIC (192.168.1.1) 1 internal NIC (192.168.2.1) The host system pretty much only serves as NAT and nameserver. I have one jail setup with mysqld running. The problem occurs when I try to connect to the mysql server with the flag -h. I get the error that my user is not authorized to connect from ip 192.168.101.12 (external NIC). However, this is inside the jail so it should not need to be NAT'd traffic at all. This is some info from inside the jail: -------------------------------8<------------------------------------------= ------- # ifconfig rl0: flags=3D8843 mtu 1500 options=3D8 inet6 fe80::210:a7ff:fe0a:9119%rl0 prefixlen 64 scopeid 0x1 inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:10:a7:0a:91:19 media: Ethernet autoselect (none) status: no carrier xl0: flags=3D8843 mtu 1500 options=3D9 inet6 fe80::201:2ff:feae:6d1d%xl0 prefixlen 64 scopeid 0x2 ether 00:01:02:ae:6d:1d media: Ethernet autoselect (100baseTX ) status: active rl1: flags=3D8802 mtu 1500 options=3D8 ether 00:50:bf:34:24:b3 media: Ethernet autoselect (10baseT/UTP) status: no carrier plip0: flags=3D108810 mtu 1500 lo0: flags=3D8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 # nslookup 192.168.1.3 Server: 192.168.1.1 Address: 192.168.1.1#53 3.1.168.192.in-addr.arpa name =3D db.folkvett.se. # nslookup db.folkvett.se Server: 192.168.1.1 Address: 192.168.1.1#53 Name: db.folkvett.se Address: 192.168.1.3 # traceroute db.folkvett.se traceroute to db (192.168.1.3), 64 hops max, 40 byte packets 1 db (192.168.1.3) 0.882 ms 0.744 ms 0.597 ms # traceroute 192.168.1.3 traceroute to 192.168.1.3 (192.168.1.3), 64 hops max, 40 byte packets 1 db (192.168.1.3) 0.847 ms 0.908 ms 0.604 ms # mysql -u root -h db.folkvett.se -p Enter password: ERROR 1130 (00000): #HY000Host '192.168.101.12' is not allowed to connect to this MySQL server # mysql -u root -h 192.168.1.3 -p Enter password: ERROR 1130 (00000): #HY000Host '192.168.101.12' is not allowed to connect to this MySQL server # mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 to server version: 4.1.12-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> select user, host from mysql.user where mysql.user.user=3D'root'; +------+----------------+ | user | host | +------+----------------+ | root | 192.168.1.3 | | root | db.folkvett.se | | root | localhost | +------+----------------+ 3 rows in set (0.01 sec) mysql> -----------------------------------8<--------------------------------------= ------- As you can see from the above, I have no trouble resolving the correct IP or even connect to the database, however it seem that the database then all of the sudden believe that I come from the external IP of the HOST enviroment, not the jail. I shouldnt have access to 192.168.101.12 from the jail. Which means I somehow strangely get NAT'd, even though i try to connect to my local IP. The 192.168.1.3 ip is an alias on the rl0 interface. In the host it looks like this: -------------------------------8<------------------------------------------= ------- > ifconfig rl0 rl0: flags=3D8843 mtu 1500 options=3D8 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::210:a7ff:fe0a:9119%rl0 prefixlen 64 scopeid 0x1 inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255 inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:10:a7:0a:91:19 media: Ethernet autoselect (none) status: no carrier > -----------------------------------8<--------------------------------------= ------- Happy for any answers you may come up with.