From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Jqxbi-00055w-RD for garchives@archives.gentoo.org; Tue, 29 Apr 2008 21:43:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7D052E0640; Tue, 29 Apr 2008 21:43:24 +0000 (UTC) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.184]) by pigeon.gentoo.org (Postfix) with ESMTP id 2BC24E0640 for ; Tue, 29 Apr 2008 21:43:23 +0000 (UTC) Received: by fk-out-0910.google.com with SMTP id z23so11299fkz.2 for ; Tue, 29 Apr 2008 14:43:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; bh=FpB/odH/721fE5IAA6W4tqmQ7IMgzfQm1a9M+OWJ+dk=; b=Xjx2aaTg7r+KK8k16I/7jnqbtVj7lz1ZvJ3yP3sF0H/xZ4RRyjmHN37T1vKrX6PpzlTWD/NxRtEheasj0pxWq7wvp1x2O9Dz1sjRx8iboiOKiY08SjNrntQs+zwXl3mNG6l41v0+vGAdxs2k/3GdWfAJ5ci8jxXz272oD1z2BWg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=B3Af+EyxCv0i6Z5cwCX5Jk34q3DmVqKb1Ytts3//Ngpwch0b883TM0WvVHXd5Hxvjcub+W+fkTWdOSK7Igax/n2MXL8JLamcQ0iXM/Uj0gNCQ8smw45XvPHwwY7N0II4wwcBgLtyhEYOxuJhcEMPU2dIDobcEu7i/mHjAWY3jJA= Received: by 10.78.120.15 with SMTP id s15mr101018huc.108.1209505402320; Tue, 29 Apr 2008 14:43:22 -0700 (PDT) Received: from lappy.study ( [212.159.46.48]) by mx.google.com with ESMTPS id 23sm819709hud.3.2008.04.29.14.43.20 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 29 Apr 2008 14:43:21 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Network access to MySQL Date: Tue, 29 Apr 2008 22:40:09 +0100 User-Agent: KMail/1.9.7 References: <200804291051.30317.peter@humphrey.ukfsn.org> <481759EB.9040306@badapple.net> In-Reply-To: <481759EB.9040306@badapple.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1914114.2NzmxAZ69h"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200804292240.29021.michaelkintzios@gmail.com> X-Archives-Salt: 11e252f1-d153-4ef5-9f46-486e02429d8c X-Archives-Hash: e2b16214ef2dfe8f8b1d2e5cc51a634c --nextPart1914114.2NzmxAZ69h Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 29 April 2008, kashani wrote: > Peter Humphrey wrote: > > Having just installed mysql on my server, I've found that I have to set > > bind-address =3D 0.0.0.0 in /etc/mysql/my.cnf to enable me to connect to > > mysqld over the local network: leaving it at the default 127.0.0.1 caus= es > > connection requests to be rejected. > > > > Is there a more secure value for this parameter? I want to be able to > > connect over either of two network segments, 192.168.2.0/29 and > > 192.168.3.0/29, as well as locally on the server box. I've tried a > > compound setting in bind-address, but mysqld then refuses to start. > > 0.0.0.0 is the only setting I've found so far that lets me in. > > I generally remove the bind setting so that Mysql listens on all IPs on > the box. You can then have firewall rules at your border or locally on > the box to control access to 3306. You can also set access on a per user > basis within mysql > > GRANT CREATE,DELETE,INSERT,SELECT,UPDATE PRIVILEGES ON your_db.* TO > 'your_user'@'localhost'; > GRANT CREATE,DELETE,INSERT,SELECT,UPDATE PRIVILEGES ON your_db.* TO > 'your_user'@'192.168.2.%'; > > and so on. > > kashani The --bind-address option works for one IP address only. If you set it to= =20 127.0.0.1 only connections from localhost will be listened to. If you set = it=20 to 0.0.0.0 connections from all addresses are listened to. I believe that= =20 you can have one IP address set by using --bind-address and also have defin= ed=20 a unix socket for mysqld to listen to. The unix socket can be set up for=20 local connections (you need to allow fs access for the unix socket to the=20 mysql client user of course, otherwise the socket will not be accessible). As others have mentioned the firewall adds security by restricting inbound= =20 source addresses. HTH. =2D-=20 Regards, Mick --nextPart1914114.2NzmxAZ69h Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEABECAAYFAkgXlcwACgkQ5Fp0QerLYPed3gCcDoG6Srqcf7ldf1RhVf8lFT26 dIEAn1cWPG27NZaCX4UI1tG/R2OnXFp7 =fotu -----END PGP SIGNATURE----- --nextPart1914114.2NzmxAZ69h-- -- gentoo-user@lists.gentoo.org mailing list