Welcome on FWSQL home page

Project description

FWSQL is a SQL firewall. Its main purpose is to analyze each SQL query and, if it is allowed, proxy it to a SQL server.

The FWSQL project also include the sqlsniff tool.
The SQLsniff is a tool designed for people that fear any perfomance decrease at the cost of impossibility to block invalid query.

Architecture

FWSQL can run in 4 modes:

• Proxy mode

  In this mode FWSQL juste proxyfying SQL requests.

• Learning mode

  In this mode, FWSQL will learn SQL query passing throught it and store it to its allowed query databases.

• Permissive mode

  FWSQL let all SQL query pass but warn you when an unkown query is detected.

• Enforcing mode

  FWSQL let only pass known SQL query and so blocks all other unkown querys.

Backend support

FWSQL handle MySQL and PostgreSQL database server, but will easily support more SQL server in the future.

Loadbalacing of multiples backends

FWSQL support multiple loadbalancing mode

• Classic loadbalacing

  You can give multiple backends to FWSQL and it will loadbalancing SQL query requests to theses servers.

• Advanced loadbalancing

  Since FWSQL read SQL request, it can forward some requests (certainly write request) to masters SQL server and other to slave SQL servers (read request). With that, you can do read/write SQL query loadbalacing even if your application dont support that.

FWSQL is licensed under GPLv3

FWSQL News

• 18 April 2014 FWSQL 0.4

  FWSQL now handle zlib compression support.
  

• 31 July 2012 FWSQL 0.3

  FWSQL now handle multiple FWSQL user databases.

• 14 March 2012 FWSQL 0.2

  FWSQL now handle postgreSQL database and IPV6 networks.

• 01 March 2012 FWSQL 0.1

Roadmap

Feature		0.1	0.2	0.3	0.4	0.5	1.0
Classic loadbalancing		NO	NO	NO	NO	?	MUST BE DONE
Advanced loadbalancing		NO	NO	NO	NO	?	MUST BE DONE
MYSQL 5		OK	OK	OK	OK	OK	OK
PostgreSQL		NO	OK	OK	OK	OK	OK
IPv6		NO	OK	OK	OK	OK	OK
Per USER SQL query list		NO	NO	OK	OK	OK	OK
SSL		NO	NO	NO	NO	?	MUST BE DONE
Compression support		NO	NO	NO	OK	OK	MUST BE DONE
SECCOMP FILTER		NO	NO	NO	NO	?	MUST BE DONE

Current release 0.4 Future release 0.5

• "DONE" means... that it is thought to be fully implemented. May contain bugs.
• "MOSTLY" means that it is mostly implemented and may have known bugs.
• "WIP" means that I have started on the initial implementation.
• "UNK" means that I havent tested it.

Features descriptions

• SSL

  fwsql must support SSL connections from client, certainly via OpenSSL.

• Per USER SQL query list

  By default, FWSQL store all allowed query in one file, fwsql.db. By enabling the per user querydb file, FWSQL will split all query in multiple files (one per SQL login) with the pattern fwsql.db_login

• Compression support

  FWSQL disable all compressions between client and backens. FWSQL must support compression via zlib.

Download

All available downloads can be found at Sourceforge.net

• Current release FWSQL 0.4
  • MD5SUM 69ccb2ca13dbdccb6eb762a0075347d5
  • SHA1SUM 8777b13a0b5fdab2028f38c563ebad8163a14b44

Installation, configuration, supported systems

Supported plaforms

For the moment, FWSQL only support MySQL 5.x and PostgreSQL 9 (PostgreSQL 8 isnt tested)
FWSQL run only on Linux/unix/BSD platforms

Installation

Manual installation

./configure
make
make install

Configuration

Now you can edit fwsql.config to your needs. Probably you will just need to edit BACKEND and MODE.
fwsql.config example:

# Backend address or path to an unix socket
BACKEND=127.0.0.1
#BACKEND=/var/run/mysqld/mysqld.sock

#Backend port, wont needed in case of unix socket
BACKENDPORT=3306

#FWSQL listen port
LISTEN=1212

#possible mode choice: learn, permissive, enforcing
MODE=enforcing

Usage and FWSQL querydb Format

Now you will probable run it in learning mode.
When you think the application has done all their possible SQL query, run it in permissive mode (or even enforcing mode).
You can manually add SQL query to the FWSQL querydb format file fwsql.db.
(Or fwsql.db_username if you use the per user query DB)

This file is the list of allowed SQL query in FWSQL format.
The FWSQL format is simply the SQL query with each its constant keywords separated by space.
For FWSQL, a constant keyword is all SQL word (SELECT, AND, etc...) and separators (, ;).
Variables keywords (word between simple or double quote and numbers) must be written as follow:

• All numbers must be writen as 0
• All values between simple quote must be written as 'S'
• All values between double quote must be written as "S"

Examples:

SELECT * FROM LOGINS
SELECT * FROM PASSWORD WHERE pass = 'S'

For example, after benching with mysqlslap, this is the content of fwsql.db

CREATE SCHEMA `mysqlslap`
CREATE TABLE `t1` ( intcol1 INT(32) , charcol1 VARCHAR(128))
DROP SCHEMA IF EXISTS `mysqlslap`
INSERT INTO t1 VALUES ( 0 , 'S' )
SELECT intcol1 , charcol1 FROM t1

The SQLsniff tool

SQLsniff is a SQL live session analyzer. It uses libpcap to captures network traffic.
For each packet captured, SQLsniff do the same work than FWSQL excepted for the blocking part.

In learning mode, SQLsniff learn all SQL query it got
In permissive (and enforcing) mode, SQLsniff only warns about unknown query.
At the moment there are no way to block unknown query with SQLsniff

Support, bugs, patchs, critics, etc..

Patch, contributions, critics ( even bad:) ) are welcome.
You can perhaps find me on channel #fwsql on Freenode IRC servers or follow me on twitter @CodingMontjoie Project Web Hosted by