SSH Tunnel & Firewall

SSH tunnel
Common database ports
Opening ports on Windows
Opening ports on macOS
Opening ports on Linux
Troubleshooting checklist
Additional considerations
FAQ

SSH Tunnel

An SSH tunnel lets DbSchema connect to a database server securely through an intermediary SSH host. This is commonly used when the database port is not directly exposed to the internet.

To set up an SSH tunnel, open the SSH Tunnel tab in the Connection Dialog and provide:

SSH Host — the hostname or IP address of the SSH server.
SSH Port — the port the SSH server listens on (default: 22).
SSH User — the username on the SSH server.
Authentication — choose Password or Private Key (OpenSSH format). For key-based authentication, point DbSchema to your private key file (e.g., ~/.ssh/id_rsa).

The database host and port in the main Connection Dialog should refer to the database server as seen from the SSH host — often localhost if the database runs on the same machine as the SSH server.

Common Database Ports

The firewall on the database server may block incoming TCP/IP connections. You need to open the port used by your database:

MySQL — 3306
PostgreSQL — 5432
SQL Server — 1433
Oracle Database — 1521
MongoDB — 27017

If your database was configured to use a non-default port, substitute that value in the commands below.

Opening Ports on Windows

Using Command Prompt (recommended)

Open Command Prompt as Administrator and run (replace 3306 with your port):

netsh advfirewall firewall add rule name="DatabasePort" dir=in action=allow protocol=TCP localport=3306

Using Windows Firewall GUI

Open Windows Firewall with Advanced Security from the Start menu.
In the left pane, right-click Inbound Rules and select New Rule.
Follow the wizard:
- Rule Type: Port
- Protocol and Ports: TCP, specific port (e.g., 3306)
- Action: Allow the connection
- Profile: Select the profiles where the rule applies (Domain, Private, Public)
- Name: Enter a descriptive name, e.g., Allow MySQL 3306 Inbound
Click Finish to save the rule.

Opening Ports on macOS

On macOS, the built-in Application Firewall usually controls app-level access rather than raw database ports. For remote databases, the safer and simpler option is often to use an SSH tunnel from DbSchema instead of opening the database port broadly.

If you must expose a local database service, configure the database to listen on the correct interface, then review any host firewall or packet-filter rules that apply in your environment.

Opening Ports on Linux

Choose the firewall tool used by your distribution.

ufw (Ubuntu/Debian)

sudo ufw allow 3306/tcp
sudo ufw reload

firewalld (RHEL/CentOS/Fedora)

sudo firewall-cmd --permanent --add-port=3306/tcp
sudo firewall-cmd --reload

iptables

sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
sudo service iptables save

Replace 3306 with the port number for your database.

Troubleshooting checklist

If DbSchema still cannot connect after you open the firewall, check these in order:

the database server is actually running
the host name and port are correct
the database is configured for remote connections
the user is allowed to connect from your client host
an SSH tunnel is used when the database is intentionally private
a cloud security group or load balancer is not blocking the traffic upstream

Additional Considerations

Restrict access to trusted IP addresses only where possible, rather than opening the port to all traffic.
For cloud-hosted databases (AWS RDS, Azure SQL, Google Cloud SQL), configure inbound rules in the cloud provider's security group or firewall settings instead of the OS firewall.
If you still cannot connect after opening the firewall, verify that the database server itself is configured to accept remote connections (e.g., bind-address in MySQL, listen_addresses in PostgreSQL).