Get alerted when assets are down, slow, or vulnerable to SSL attacks—all free for a month. Learn more

Question

Can't connect to a managed database unless all TCP ports are enabled in DO Firewall

Hi.

As the title suggests, I can only connect to my managed database if I enable all Outbound TCP Ports in DO Firewall.

I have tried to only allow port 25060 with no success.

Both the droplet and the managed database are in the same region (NYC3).

The error I’m getting if I remove all TCP ports from the firewall: Unknown MySQL server host

Any suggestions?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

MantarayFebruary 14, 2022

Hi, Recently I have a similar problem, to resolved it, I had to add the rule to UDP too.

Janusz SzeligowskiDecember 30, 2020

Hi,

Cloud Firewall is a basic, easy to configure firewall with a user-friendly interface. However, the information on setting it up that you can find in control panel might be confusing. So, let me explain how I can see Cloud Firewall rules because it is very likely that they work in this way.

Inbound rules

If you had MySQL server installed on your droplet, you would set up the following inbound rule:

Type Protocol Port Range Sources
Custom TCP 3306 111.222.333.444

It means that client from IP 111.222.333.444 can connect to the service (MySQL) that is listening on port TCP 3306. So, we could say specified source IP is allowed to connect to specified destination port.

Outbound rules

It is defferent situation now. MySQL server is installed somewhere in the internet, on a VM with IP 111.222.333.444. Its service is listening on port TCP 3306. You want to connect to it from your droplet. You set up the following outbound rule:

Type Protocol Port Range Destinations
Custom TCP 3306 111.222.333.444

Correspondingly to the Inbound rule, it means that your droplet is allowed to make a connection from specified source port to specified destination IP. Yes, I am pretty sure you specify a source port in an outbound rule, not a destination one. That is why your connection could not be established. I could not find any info on MySQL client’s source TCP port(s). I believe there are some ephemeral ports assigned to the connection session. They are probably from a range 1024-65535 (you can check it out with tshark or tcpdump). So, your outbound rule should look like that:

Type Protocol Port Range Destinations
Custom TCP 1024-65535 111.222.333.444

P.S. There is just one proof of my thoughts in DO’s doc. The following note:

Note
You can only define firewall rules to restrict traffic to and from ports 
based on connection types, sources, and destinations. 
(...)
Bobby IlievDecember 20, 2020

Hi there @SmallLapisSquid,

I believe that you need to allow the connections for port 25060 for outbound connections as well as inbound.

Let me know how it goes. Regards, Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up