SQL firewall

Background information

A SQL firewall is a software system designed to protect database security. It monitors and filters SQL statements sent to and from a database to prevent SQL injection attacks and other malicious activities. SQL injection is a common type of network attack where attackers insert malicious SQL code into query statements. This can cause the database to perform unauthorized operations, such as stealing data, modifying data, or destroying the database structure.

OceanBase uses SQL firewall rules to monitor and intercept database SQL statements in real time. This enhances database security and protects the database from these attacks.

Prerequisites

The database proxy of the instance must be V4.3.2 or later. For more information about the database proxy service, see Overview of the database proxy service.

Notes

Before you enable the SQL firewall, take note of the following:

1. The SQL firewall uses hot reloading and takes effect in real time for new transactions in all sessions. You do not need to restart the database proxy service. Proceed with caution to prevent operational errors from affecting your online service traffic.

2. Enabling the SQL firewall can reduce database performance by approximately 10%.

Manage the SQL firewall

1. Log on to the OceanBase console .

2. In the navigation pane on the left, click Instance List.

3. In the instance list, click the name of the target cluster instance to go to the Cluster Instance Workspace page.

4. In the navigation pane on the left, click Security Settings.

5. On the Security Settings page, click the SQL Firewall tab to view the list of existing firewall rules.

6. You can manage existing SQL firewall rules.

   • Create a SQL firewall rule

   • Enable a SQL firewall rule

   • Delete a SQL firewall rule

Create a SQL firewall rule

1. On the SQL Firewall page, click Create Rule.

   

2. On the Create Rule page, specify the rule configuration.

   Parameter	Description
   Rule Name	The name of the SQL firewall rule. The name must be 2 to 32 characters in length and can contain only letters, digits, underscores (_), and hyphens (-).
   Rule Description	A brief description of the rule for future reference.
   Tenant	Select the tenant for which the rule takes effect.
   Database Proxy	Select the database proxy.
   Database Account	Select the database account for which the rule takes effect. If you leave this empty, the rule applies to all database accounts.
   Rule Type	Interception rule.
   Mode	Inspection mode: Records the SQL type but does not intercept the statement. Defense mode: Intercepts and records the SQL statement.
   Firewall Rule	Intercept specific SQL types: Intercepts specified types of SQL statements. You can select SELECT, UPDATE, INSERT, DELETE, CREATE, DROP, ALTER, TRUNCATE, RENAME, or REPLACE. Intercept SQL without a where clause: Intercepts specified types of SQL statements that do not have a where clause. You can select SELECT, UPDATE, or DELETE. Intercept custom SQL: Customize the SQL content to intercept. For example: To intercept SQL statements that use ORDER BY or GROUP BY: ORDER\s+BY|GROUP\s+BY
   Enable Rule	If you select this option, the rule takes effect immediately after it is saved. If you do not select this option, the rule configuration is saved but remains disabled. You can edit and enable it later.

3. Click OK.

Enable a SQL firewall rule

1. On the SQL Firewall page, find the target rule and click Edit in the Actions column.

2. On the Edit Rule page, in the Enable Rule section, select Enable Firewall Rule.

Edit a SQL firewall rule

1. On the SQL Firewall page, find the target rule and click Edit in the Actions column.

   

2. On the Edit Rule page, modify the rule configuration.

   Parameter	Description
   Rule Name	The name of the SQL firewall rule. The name must be 2 to 32 characters in length and can contain only letters, digits, underscores (_), and hyphens (-).
   Rule Description	A brief description of the rule for future reference.
   Tenant	Select the tenant for which the rule takes effect.
   Database Proxy	Select the database proxy.
   Database Account	Select the database account for which the rule takes effect. If you leave this empty, the rule applies to all database accounts.
   Rule Type	Interception rule.
   Mode	Inspection mode: Records the SQL type but does not intercept the statement. Defense mode: Intercepts and records the SQL statement.
   Firewall Rule	Intercept specific SQL types: Intercepts specified types of SQL statements. You can select SELECT, UPDATE, INSERT, DELETE, CREATE, DROP, ALTER, TRUNCATE, RENAME, or REPLACE. Intercept SQL without a where clause: Intercepts specified types of SQL statements that do not have a where clause. You can select SELECT, UPDATE, or DELETE. Intercept custom SQL: Customize the SQL content to intercept. For example: To intercept SQL statements that use ORDER BY or GROUP BY: ORDER\s+BY|GROUP\s+BY
   Enable Rule	If you select this option, the rule takes effect immediately after it is saved. If you do not select this option, the rule configuration is saved but remains disabled. You can edit and enable it later.

3. Click OK.

Delete a SQL firewall rule

1. On the SQL Firewall page, find the target rule and click Delete in the Actions column.

   

2. Confirm the deletion in the dialog box.

   

3. Click Delete.