Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Question UT Blocking MySQL?

    So I know this seems strange, but it seems as though UT is blocking MySQL traffic. My network is set up as follows:

    |Internet|---> |Endian Firewall/Router|---> |UT Bridge|---> |Switch|

    Inside the LAN I have a Fedora 12 server. Endian has an end-to-end IPSEC VPN tunnel to another network. I have never had any trouble getting data through the VPN tunnel. From any of my LAM machines, I can SSH, Ping, VNC, etc. into a Fedora server on the OTHER end of the tunnel. However, when I try to connect to it via MySQL on port 3306 the connection simply times out. If I attempt to telnet to port 3306 from the UT box it times out HOWEVER if I try to telnet to port 3306 from the Endian router it connects instantly. Maybe I'm missing something but it seems like UT is blocking something. I have added bypass rules for the server and tried to turn off all the rack items but the connection still times out when I'm behind UT. Any help would be appreciated!
    Thanks,
    Dan

  2. #2
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default

    Alright, this is a case of stupid Dan I'm afraid... Turns out the IPS inside Endian was blocking the connection. Why it let me connect from itself I will never know. The rule was:

    Date: Jan 6 18:00:19 Name: ET POLICY External MYSQL Server Connection
    Priority: 1 Type: A Network Trojan was detected
    IP info: 10.x.x.x:3306 -> 192.x.x.x:56808
    References: none found SID: 2008572

    Sorry to have wasted your time, this thread can be closed. Thanks!
    Last edited by danodemano; 01-07-2010 at 07:27 AM.

  3. #3
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    We'll leave it here. Someone else may fall into the same hole. Glad you got it.

  4. #4
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    Its a false positve of IDS?

  5. #5
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default

    Quote Originally Posted by dwasserman View Post
    Its a false positve of IDS?
    I don't think it's a false positive. The IDS doesn't expect MySQL connections to be going through it I don't think. Though in my opinion the IDS shouldn't be scanning the VPN traffic anyway so I may take this up with Endian. It doesn't scan it's own traffic obviously, since I was able to connect from the Endian box itself without getting blocked.

  6. #6
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    Quote: References: none found SID: 2008572

    Search in the configuration of snort in Endian, and disable the block option of this signature.

  7. #7
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default

    Quote Originally Posted by dwasserman View Post
    Quote: References: none found SID: 2008572

    Search in the configuration of snort in Endian, and disable the block option of this signature.
    That was how I fixed it. I posted it just for reference to let everyone know that I had fixed the issue. Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2