View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Firewall rules with separate DB server
Log in to Ask a Question
✓ Solved

Firewall rules with separate DB server

Hello,

I have an application running on a Linode server with separate DB server which also runs on Linode.

I activated Cloud Firewall and so far I only set rules for HTTP/S and SSH inbound traffic to be allowed.

I wonder do I need to add DB server under firewall as well and would my current setup impact connection to DB server from my application server? Would I need to add exception to allow SQL port as well?

Thanks!

4 Replies

✓ Best Answer

Hi @stevewi

Thanks for jumping in.
You'd be right. All servers are in the same data center.

I kind of inherited this infrastructure so will just need to keep in on life support for a few months. Still getting familiar with it.

That being said, the infrastructure is getting attacked frequently so I figured firewall will help it out.

Here's how it looks: production server, database server and small nanode acting as load balancer running haproxy. I'm fairly certain this 'lb' only handles traffic and manages SSL. It's not autoscaling when under load or anything like that.

When I do DNS check on my domain, load balancer IP pops up as the server being hit from the incoming traffic.

My thoughts are to add all three servers under firewall, open up http/s ports on all 3 and open up SQL port for incoming traffic on DB server. Outgoing would be open on all 3 servers on all ports.

Would this make sense?

Thanks!

I wonder do I need to add DB server under firewall as well and would my current setup impact connection to DB server from my application server?

What I would do is modify this in steps…

  • The first step would be to move the application/DB server traffic off the open internet onto the private, unroutable, data-center-only LAN. I'm assuming here that your two Linodes are located in the same data center. Note that private does not mean secure…it means the traffic does not get routed to the open internet. Other Linodes in the same data center can still receive it.

  • The second step would be to secure the, now private, db server traffic with TLS.

  • The last step would be to block all traffic on the database server port with the cloud firewall. The only traffic on the db server port would be to/from the private IP of the app server.

Would I need to add exception to allow SQL port as well?

Yes.

-- sw

My thoughts are to add all three servers under firewall, open up http/s ports on all 3 and open up SQL port for incoming traffic on DB server. Outgoing would be open on all 3 servers on all ports.

That would be a good short-term solution. You will have to open a few more ports than just http/s, mysql and sshDNS (port 53) for example. Those can be as needed.

It's good that you are taking a critical eye at your setup. That's the way to prevent attacks.

-- sw

Thanks @stevewi
Will keep the DNS port in mind as well. I've setup the firewall. Need to see how attacks will behave down the road.

Thanks again!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct