[imp] mysql port 3306

Rick Romero rick@valeoinc.com
Tue, 21 Nov 2000 15:23:41 -0600


It's done via command line options, follow the link below for ALL 
command line options.  It's really better to have mysql listening 
ONLY on 127.0.0.1, rather than use the 'firewall' portion to drop 
packets.. It's just cleaner that way.

127.0.0.1 is the 'internal' ip address of your machine.  If you didn't 
have a Network Card, or a Modem, you wouldn't have an ip address 
to connect to, right?  Not Quite. You should always have 127.0.0.1 
available for connecting to local services on your machine.  This is 
a non-routable IP address.  No-one can reach your machine via 
that IP.  It only exists internally.

So, if you bind (make your app listen) MYSQL on that IP only, no 
machine, other than your own, can connect to MYSQL.

Example:
If you start mysql by running mysqld:
mysqld --bind-address=127.0.0.1 &

Now MySQL won't listen for requests from external machines.  You 
can always test by telnetting to your machine on the port that 
MYSQL is listening on.  eg:
telnet my.ext.ip.addr 3306

Good Luck!

On 21 Nov 2000, at 15:40, Mark Orenstein wrote:

> Yes, I'm using linux (RedHat 6.2).  Can you further explain what you mean by
> "bind the MySQL process to listen only on the 127.0.0.1 and how?  I'm a
> newbie.  In the meantime, I've been looking at a bit of MySQL doc and it
> appears that all localhost communication is done via a Unix socket, so I've
> gone ahead and blocked all access to port 3306.
> 
> Mark Orenstein
> 
> 
> -----Original Message-----
> From: Rick Romero [mailto:rick@valeoinc.com]
> Sent: Tuesday, November 21, 2000 11:38 AM
> To: imp@lists.horde.org
> Subject: RE: [imp] mysql port 3306
> 
> 
> 
> I was just looking for that here's the link to the command line
> option:
> http://www.mysql.com/documentation/mysql/commented/manual.p
> hp?section=Command-line_options
> 
> --bind-address=IP
> 
> On 21 Nov 2000, at 16:28, Anil Madhavapeddy wrote:
> 
> > Mark Orenstein wrote:
> > >
> > > I'm running sendmail/imap/horde/imp/mysql on one PC.  I'm looking to
> secure
> > > this PC as much as I can.  Via a netstat -anp, I've noticed that mysql
> is
> > > listening on port 3306.  Is it possible to use ipchains to only allow
> > > localhost source address access to this port?
> > >
> >
> > Just bind the MySQL process to listen only on the 127.0.0.1 (localhost)
> > address, so it won't be seen from the outside world.  Or a domain socket
> > only (I believe it has some special behaviour for localhost anyhows).
> >
> > You shouldn't really need to mess with ipchains (I assume you are
> > running Linux).
> >
> > --
> >  Anil Madhavapeddy / "Oi luv moi brick!"
> >  anil@recoil.org   /       - Father Jack
> >
> > --
> > IMP mailing list: http://horde.org/imp/
> > Frequently Asked Questions: http://horde.org/faq/
> > To unsubscribe, mail: imp-unsubscribe@lists.horde.org
> >
> >
> 
> 
> Rick Romero
> IT Manager
> Valeo, Inc.
> rick@valeoinc.com
> 262-695-4841
> 
> --
> IMP mailing list: http://horde.org/imp/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
> 
> 
> 
> -- 
> IMP mailing list: http://horde.org/imp/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
> 
> 


Rick Romero
IT Manager
Valeo, Inc.
rick@valeoinc.com
262-695-4841