SSH Tunnel & Firewall

SSH Tunnel

An SSH tunnel lets DbSchema connect to a database server securely through an intermediary SSH host. This is commonly used when the database port is not directly exposed to the internet.

To set up an SSH tunnel, open the SSH Tunnel tab in the Connection Dialog and provide:

  • SSH Host — the hostname or IP address of the SSH server.
  • SSH Port — the port the SSH server listens on (default: 22).
  • SSH User — the username on the SSH server.
  • Authentication — choose Password or Private Key (OpenSSH format). For key-based authentication, point DbSchema to your private key file (e.g., ~/.ssh/id_rsa).

The database host and port in the main Connection Dialog should refer to the database server as seen from the SSH host — often localhost if the database runs on the same machine as the SSH server.

Common Database Ports

The firewall on the database server may block incoming TCP/IP connections. You need to open the port used by your database:

  • MySQL3306
  • PostgreSQL5432
  • SQL Server1433
  • Oracle Database1521
  • MongoDB27017

If your database was configured to use a non-default port, substitute that value in the commands below.

Opening Ports on Windows

Using Command Prompt (recommended)

Open Command Prompt as Administrator and run (replace 3306 with your port):

netsh advfirewall firewall add rule name="DatabasePort" dir=in action=allow protocol=TCP localport=3306

Using Windows Firewall GUI

  1. Open Windows Firewall with Advanced Security from the Start menu.
  2. In the left pane, right-click Inbound Rules and select New Rule.
  3. Follow the wizard:
    • Rule Type: Port
    • Protocol and Ports: TCP, specific port (e.g., 3306)
    • Action: Allow the connection
    • Profile: Select the profiles where the rule applies (Domain, Private, Public)
    • Name: Enter a descriptive name, e.g., Allow MySQL 3306 Inbound
  4. Click Finish to save the rule.

Opening Ports on Linux

Choose the firewall tool used by your distribution.

ufw (Ubuntu/Debian)

sudo ufw allow 3306/tcp
sudo ufw reload

firewalld (RHEL/CentOS/Fedora)

sudo firewall-cmd --permanent --add-port=3306/tcp
sudo firewall-cmd --reload

iptables

sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
sudo service iptables save

Replace 3306 with the port number for your database.

Additional Considerations

  • Restrict access to trusted IP addresses only where possible, rather than opening the port to all traffic.
  • For cloud-hosted databases (AWS RDS, Azure SQL, Google Cloud SQL), configure inbound rules in the cloud provider's security group or firewall settings instead of the OS firewall.
  • If you still cannot connect after opening the firewall, verify that the database server itself is configured to accept remote connections (e.g., bind-address in MySQL, listen_addresses in PostgreSQL).