Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
 |
04-17-2003, 05:35 PM
|
#1
|
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,732
|
mysql port 3306
[ Log in to get rid of this advertisement]
Well, this isn't a security issue per se, but I am curious about a few things. I only run a webserver, so my iptables firewall drops everything not destined for port 80, however, when I run nmap it shows 3306 mysql as open.
I do use mysql, but it is on the same computer so I don't need the port open right?
Why does port 3306 ignore my firewall rules? Anyone know what's up?
|
|
|
|
04-17-2003, 05:44 PM
|
#2
|
|
Guru
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 5,513
|
You might want to post your iptables script to get a better answer. However, I'll hazard the guess that your script isn't blocking internal requests. In other words, if you used nmap to scan from a different computer, you might not see port 3306 open.
Of course without seeing your iptables rules, this is nothing more than a WAG.
|
|
|
|
04-17-2003, 06:27 PM
|
#3
|
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,732
|
Hey, maybe you're right.
Here's the relevant sections:
Code:
# set a sane policy: everything not accepted > /dev/null
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# free output on any interface to any ip for any service (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
# permit answers on already established connections
# and permit new connections related to established ones (eg active-ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accepts http requests at port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Perhaps you could scan me to see...my domain is in my sig
|
|
|
|
04-17-2003, 07:51 PM
|
#4
|
root 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 6,434
|
If you never connect to mysql over the network you may want to add
to your [mysqld] section in /etc/my.cnf.
--jeremy
|
|
|
|
04-17-2003, 08:00 PM
|
#5
|
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86; Gentoo PPC; Gentoo Sparc64; FreeBSD; OS X; Solaris
Posts: 3,732
|
Cool, thanks Jeremy. Worked perfectly...
Last edited by bulliver : 04-17-2003 at 08:14 PM.
|
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 02:41 AM.
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
LQ Podcast
LQ Radio
|
|