Re: [Shorewall-users] MySQL Replication with ssl connection and ports configuration
[..] Hi Davide, Diagnosing something like this typically requires the complete output of 'shorewall dump'. However, based on the syslog messages it looks like you simply need to add the 'routeback' option to the eth0 line in /etc/shorewall/interfaces on both hosts. If that does not resolve the problem, please post the complete output of 'shorewall dump' so that we can help you identify the cause. Regards, -Roberto Hi friends, I've solved the problem with MySQL Replication. The issue was caused by the MySQL (5.5) inability to manage 4096bit certificates and my error of not having opened the port 3306. @Roberto: thanks for your useful suggestion to enable the 'routeback' option to the eth0 line in >>> /etc/shorewall/interfaces ! I continue to have DROP with my server addresses, but I will open a specific topic since it is no longer about Replication. Thanks again! Davide -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] MySQL Replication with ssl connection and ports configuration
Add this to the master my.cnf: [mysqld] # are permissions 644? ssl-key = /etc/pki/mysql/private/c3po.example.com.MariaDB.pem ssl-cert= /etc/pki/mysql/certs/c3po.example.com.MariaDB.crt ssl-ca = /etc/pki/mysql/certs/Customer_MariaDB.CA.crt Enter this as a command on the slave: CHANGE MASTER TO MASTER_HOST='c3po.example.com', MASTER_USER='yoda', MASTER_PASSWORD='password1234', MASTER_LOG_FILE='c3po-log-bin.000910', MASTER_LOG_POS=52911945, MASTER_SSL=1, MASTER_SSL_CA='/etc/pki/mysql/certs/Customer_MariaDB.CA.crt', MASTER_SSL_CERT='/etc/pki/mysql/certs/yoda.example.com.MariaDB.crt', MASTER_SSL_KEY='/etc/pki/mysql/private/yoda.example.com.MariaDB.pem' ; Of course change log_file, log_pos, password, etc. Hope this gets you pointed in the right direction, Bill On 8/22/2017 12:21 PM, Davide Marchi wrote: [..] Hi Davide, Diagnosing something like this typically requires the complete output of 'shorewall dump'. However, based on the syslog messages it looks like you simply need to add the 'routeback' option to the eth0 line in /etc/shorewall/interfaces on both hosts. If that does not resolve the problem, please post the complete output of 'shorewall dump' so that we can help you identify the cause. Regards, -Roberto Thanks Roberto for your (very very appreciate) help! I've made as you suggest, but there seems to be other problems around this MySQL Replication. I've open a specific post on MySQL forum (I need to clarify other points, in particular how connect mysql via ssl, and I would not want to weigh the mailing list with arguments that are not inherent to shorewall) and then come back here with a detailed report ;-) See you soon Davide -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] MySQL Replication with ssl connection and ports configuration
On Tue, Aug 22, 2017 at 12:26:30PM +0200, Davide Marchi wrote: > Hi friends, > I've just configured MySQL Replication, between two VPS Debian Jessie. > > I've open the 3306 port on each server and ssh port (60319), but this seem > not sufficient, > could you suggest me please if I should open other specific TCP/UDP port? > . > > This is the syslog on MASTER: > > Aug 22 11:57:06 server kernel: [17623379.688961] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 > DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP > SPT=38443 DPT=1370 LEN=35 . > > This is the syslog on SLAVE: > > Aug 22 11:57:24 server2 kernel: [11466741.408787] > Shorewall:net-fw:DROP:IN=eth0 OUT= > MAC=00:50:56:3c:fb:65:28:99:3a:4d:23:91:08:00 SRC=82.146.62.226 > DST=5.189.166.16 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=5607 PROTO=TCP > SPT=52617 DPT=3390 WINDOW=1024 RES=0x00 SYN URGP=0 . Hi Davide, Diagnosing something like this typically requires the complete output of 'shorewall dump'. However, based on the syslog messages it looks like you simply need to add the 'routeback' option to the eth0 line in /etc/shorewall/interfaces on both hosts. If that does not resolve the problem, please post the complete output of 'shorewall dump' so that we can help you identify the cause. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] MySQL Replication with ssl connection and ports configuration
Hi friends, I've just configured MySQL Replication, between two VPS Debian Jessie. I've open the 3306 port on each server and ssh port (60319), but this seem not sufficient, could you suggest me please if I should open other specific TCP/UDP port? This is "rules" for "MASTER" server: ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW Invalid(DROP) net $FW tcp Ping(DROP) net $FW ACCEPT $FW net icmp Web(ACCEPT) net $FW ACCEPT net $FW tcp 443 #HTTPS ACCEPT net $FW tcp 60319 #SSH ACCEPT net $FW tcp 587 #SUBMISSION SERVICE DOVECOT #ACCEPT net $FW tcp 465 #SUBMISSION SERVICE DOVECOT RFC DEPRECATED!! ACCEPT net $FW tcp 995 #SUBMISSION SERVICE DOVECOT SSL/TSL ACCEPT net $FW tcp 993 #SUBMISSION SERVICE DOVECOT SSL/TSL ACCEPT net $FW tcp 110 #SUBMISSION SERVICE DOVECOT STARTTLS ACCEPT net $FW tcp 143 #DOVECOT POSTFIX ACCEPT net $FW tcp 25 #POSTFIX #ACCEPT net $FW tcp 21 #PROFTP ACCEPT net $FW tcp #PROSFTP ACCEPT net $FW tcp 49152:65534 #PROSFTP PASSIVE PORT ACCEPT net $FW tcp 3306 #MYSQL REPLICATION This is "rules" for "SLAVE" server: ?SECTION ALL ?SECTION ESTABLISHED ?SECTION RELATED ?SECTION INVALID ?SECTION UNTRACKED ?SECTION NEW Invalid(DROP) net $FW tcp Ping(DROP) net $FW ACCEPT $FW net icmp Web(ACCEPT) net $FW ACCEPT net $FW tcp 443 #HTTPS ACCEPT net $FW tcp 60319 #SSH ACCEPT net $FW tcp 587 #SUBMISSION SERVICE DOVECOT ACCEPT net $FW tcp 465 #SUBMISSION SERVICE DOVECOT ACCEPT net $FW tcp 995 #SUBMISSION SERVICE DOVECOT SSL/TSL ACCEPT net $FW tcp 993 #SUBMISSION SERVICE DOVECOT SSL/TSL ACCEPT net $FW tcp 110 #SUBMISSION SERVICE DOVECOT STARTTLS ACCEPT net $FW tcp 143 #DOVECOT POSTFIX ACCEPT net $FW tcp 25 #POSTFIX ACCEPT net $FW tcp 3306 #MYSQL REPLICATION This is the syslog on MASTER: Aug 22 11:57:06 server kernel: [17623379.688961] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP SPT=38443 DPT=1370 LEN=35 Aug 22 11:57:43 server kernel: [17623415.939990] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP SPT=47055 DPT=1370 LEN=35 Aug 22 11:57:49 server kernel: [17623421.911426] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=83.147.104.92 DST=91.205.175.213 LEN=40 TOS=0x08 PREC=0x40 TTL=50 ID=58689 PROTO=TCP SPT=39204 DPT=23 WINDOW=35126 RES=0x00 SYN URGP=0 Aug 22 11:58:06 server kernel: [17623439.719721] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP SPT=38443 DPT=1370 LEN=35 Aug 22 12:05:07 server kernel: [17623859.923044] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP SPT=38443 DPT=1370 LEN=35 Aug 22 12:05:43 server kernel: [17623896.206829] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=5.189.144.220 DST=91.205.175.213 LEN=55 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP SPT=47055 DPT=1370 LEN=35 Aug 22 12:06:06 server kernel: [17623919.099304] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00 SRC=177.37.126.79 DST=91.205.175.213 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=54006 DF PROTO=TCP SPT=3869 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 Aug 22 12:06:07 server kernel: [17623919.951563] Shorewall:net-fw:DROP:IN=eth0 OUT= MAC=00:50:56:3c:a8:50:00:08:e3:ff:fd:90:08:00