how to restrict inbound connection to mysql server to specified IP address by firewall setting

Question

background purpose: I want to restrict inbound connection to MYSQL server only for specific host by setting inbound rules of windows firewall. I mean, I want to allow only specific host to connect to the MYSQL server.

In the windows firewall setting, this is what I saw by default:

both ports are opened. so, I blocked all the inbound connection to the port 33060 because I don't expect inbound from X-Protocol:

Then, I tried to connect to the MYSQL server from my local pc and the connection succeeded. Next, I tried to restrict inbound connection to the port 3306 of the MYSQL server only to specified IP address:

at first, select Allow the connection if it is secure.

second, specified remote IP address by which I am connecting to this MYSQL server.

in the part of black out in the image above, I typed my global IP address(IPv4) of my local pc. I typed it in XX.XXX.XXX.XX format. I got my global IP address in this onlne service. then I tested to connect to the MYSQL server from my local pc, but it didn't get through.

I tested connection by Test-NetConnection in windows powershell. But, the connection to the port failed..

what am I wrong with?

Test1:

I tested like the below, too.

I change setting like below: Remote IP address to by Any IP address.

and left the setting below as it is:

Allow the connection if it is secure

then, try Test-NetConnection in windows powershell. but it doesn't get through to the port..

Test2:

I again tested like the below, too.

I keep setting like below: Remote IP address.

and changed the setting below:

Allow the connection

then, try Test-NetConnection in windows powershell. but it doesn't get through to the port again..

@RickJames Thanks for your advice but I would like to restrict inbound connection by firewall setting. — Herbert, Aug 25 '20 at 04:47
So, this is a "firewall" question, not a database question? Update the tags. — Rick James, Aug 25 '20 at 05:20

Gerald Schneider · Answer 1 · 2020-08-26T06:47:43.243

0

Remove the option "allow the connection if it is secure". This adds an additional authentication and encryption layer that isn't supported by the MySQL client. You can't use it here.

Additionally, if you only get the message failed, as in your screenshot, then the MySQL server is not listening on that interface. If the problem were the firewall, you would get a message TimedOut.

Make sure the MySQL server is listening on the external interface or all interfaces (0.0.0.0) instead of only the loopback interface (127.0.0.1), which is most probably the default.

You can check this by running this on the server:

Get-NetTCPConnection -State Listen -LocalPort 3306

edited Aug 26 '20 at 06:47

answered Aug 25 '20 at 05:49

Gerald Schneider

23,274
8
57
89

I tested it after removing the option but it doesn't get through. I update OP about that, too. – Herbert Aug 25 '20 at 06:06
How does it "not get through"? Do you get a timeout or a connection refused? – Gerald Schneider Aug 25 '20 at 06:11

score 0 · Answer 2 · answered Aug 25 '20 at 05:50

0

You need to change the setting to Allow this connection, not "Allow this connection if it is secure".

The latter setting will allow the connection only if it is protected via IPSec, which you almost certainly are not using and will never use.

answered Aug 25 '20 at 05:50

Michael Hampton

244,070
43
506
972

I tested it after removing the option but it doesn't get through. I update OP about that, too. – Herbert Aug 25 '20 at 06:06
@Herbert Now you need to check that you used the correct IP address. – Michael Hampton Aug 25 '20 at 06:07
the global IP address of my client local pc is the one I got on [this page](https://www.luft.co.jp/cgi/en/ipcheck.php). So, i think it should be correct? – Herbert Aug 25 '20 at 06:18

how to restrict inbound connection to mysql server to specified IP address by firewall setting

2 Answers2