From owner-freebsd-questions@FreeBSD.ORG Tue May 8 13:49:07 2012 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE427106566C for ; Tue, 8 May 2012 13:49:07 +0000 (UTC) (envelope-from paulbeard@gmail.com) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 63A978FC12 for ; Tue, 8 May 2012 13:49:07 +0000 (UTC) Received: by pbbro2 with SMTP id ro2so9057732pbb.13 for ; Tue, 08 May 2012 06:49:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:date:message-id:to:mime-version:x-mailer; bh=G7GYZ6azj2h0xeBpVw/7m78zzf3bg1DcmoKne3xL2kE=; b=ASSO8DPMDoRaBPqadJgenN9uxoEgwuY8OTTwgsaM8/fl35c71I/jjAzv8ekOHm5P7U dUy2W4tJqBUy/zenCfm3lCePgW/mjnCttkWlHfmnDEBkjQVp+j3/X+Qk9VmmXPvPwYXS FtYnFrzWeQS9uhQBZsWG6DXPiHpSpV+bNTxGLAduhXvhKUztNopOfu00POW5F2fl2nAm FXFHNpY98wvBIBxyV6ku9jqXyTUQl6o8vTutXX38IKfqT1Kih04GUe14SX4w+Pc6PwcA Hr+ph8I0HZp56soxBkyOxUMEDshVLxSFbyVfhsBJsJ/4AGeakGQoewkjaj+F01Xh6j0F LtXg== Received: by 10.68.129.42 with SMTP id nt10mr8294249pbb.164.1336484946848; Tue, 08 May 2012 06:49:06 -0700 (PDT) Received: from ivoire.paulbeard.org (97-113-31-249.tukw.qwest.net. [97.113.31.249]) by mx.google.com with ESMTPS id rf7sm2440003pbc.65.2012.05.08.06.49.03 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 May 2012 06:49:04 -0700 (PDT) From: Paul Beard Content-Type: multipart/signed; boundary="Apple-Mail=_F10AC60C-41A5-4928-B591-84027A817B7D"; protocol="application/pkcs7-signature"; micalg=sha1 Date: Tue, 8 May 2012 06:49:01 -0700 Message-Id: <898E0B3D-63DD-470C-8F1D-49F478D05C7E@gmail.com> To: FreeBSD-questions Mime-Version: 1.0 (Apple Message framework v1257) X-Mailer: Apple Mail (2.1257) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: securing MySQL: easiest/best ways? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 May 2012 13:49:07 -0000 --Apple-Mail=_F10AC60C-41A5-4928-B591-84027A817B7D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Monkeying with IPv6, I discovered that globally routable addresses are = what it says on the tin, so hiding behind a network appliance is not = longer viable for me. An nmap scan showed the port 3306 was hanging out = for all to see but I couldn't figure out how to close it off. The = "--skip-networking" argument seems not to work, either in my.cnf or as = an rc argument. The server just fails to start. (For some reason the = socket is hard-coded to live in /tmp, regardless of what's in my.cnf but = I gave up bothering about that.) What I ended up doing was adding=20 mysql_args=3D"--bind-address=3D127.0.0.1" to /etc/rc.conf. This seems to work as netstat and sockstat no longer = show port 3306 listening and database connections are happening.=20 Is this the preferred/best way?=20 -- Paul Beard Are you trying to win an argument or solve a problem?=20 --Apple-Mail=_F10AC60C-41A5-4928-B591-84027A817B7D--