Hi,
Cloud Firewall is a basic, easy to configure firewall with a user-friendly interface. However, the information on setting it up that you can find in control panel might be confusing. So, let me explain how I can see Cloud Firewall rules because it is very likely that they work in this way.
Inbound rules
If you had MySQL server installed on your droplet, you would set up the following inbound rule:
Type |
Protocol |
Port Range |
Sources |
Custom |
TCP |
3306 |
111.222.333.444 |
It means that client from IP 111.222.333.444 can connect to the service (MySQL) that is listening on port TCP 3306. So, we could say specified source IP is allowed to connect to specified destination port.
Outbound rules
It is defferent situation now. MySQL server is installed somewhere in the internet, on a VM with IP 111.222.333.444. Its service is listening on port TCP 3306. You want to connect to it from your droplet. You set up the following outbound rule:
Type |
Protocol |
Port Range |
Destinations |
Custom |
TCP |
3306 |
111.222.333.444 |
Correspondingly to the Inbound rule, it means that your droplet is allowed to make a connection from specified source port to specified destination IP. Yes, I am pretty sure you specify a source port in an outbound rule, not a destination one. That is why your connection could not be established. I could not find any info on MySQL client’s source TCP port(s). I believe there are some ephemeral ports assigned to the connection session. They are probably from a range 1024-65535 (you can check it out with tshark
or tcpdump
). So, your outbound rule should look like that:
Type |
Protocol |
Port Range |
Destinations |
Custom |
TCP |
1024-65535 |
111.222.333.444 |
P.S. There is just one proof of my thoughts in DO’s doc. The following note:
Note
You can only define firewall rules to restrict traffic to and from ports
based on connection types, sources, and destinations.
(...)