Bugzilla – Bug 131478
YaST2 filewaill GUI offers no support for port 3306 (mysql), oversimplifies firewall.
Last modified: 2006-01-05 12:38:54 UTC
Suggestions for the firewall configuration in YaST2: 1) Add "mysql" as a service, since mysql is a supported service elsewhere. 2) Show the port number, not just the name, for supported services. If you're looking at a log file, you need to know the port number, so why not show it? 3) Support shownig the firewall log. This is very helpful when debugging a firewall problem. and 4) Document which configuration files YaST2 modifies, so that if YaST2 does not do it right, you have a starting point to solve the problem.
1.) We cannot add all known services to the firewall, that would be impossible to maintain. Configuring MySQL is not supported by YaST. Write a YaST module for that and I will add it :) It should be quite simple. http://forge.novell.com/modules/xfmod/project/?yast Opening port for MySQL on the external network is a security risk and it is not necessary for running the MySQL in most cases - connection MySQL over network is not so common behavior. 2.) Might be possible to show all ports for supported services. But, you know, there are not only TCP and UDP ports configured but also RPC ports and Broadcast... For instance, NFS-Server opens up many RPC ports (all but one of them don't have any port-number, only names). 3.) I'll try to add it somewhere. 4.) This is what YaST usually doesn't do but it should be documented in the Admin's guidebook. --- Klara: please, ensure that the point 4.) will be documented ;) thanks
1) Then maybe you should also default mysql to "skip-networking"... defense in depth is best. But see bug report at http://bugs.mysql.com/bug.php?id=14441 2) Then list the names. 3) ...and it helps people understand that any internet connected computers is under constant scanning and attack.... 4) The admin's guidebook is likely to always be somewhat out of date. Where YaST could give a definitive list of what files it is modifying (not just for this module, but for all modules). Listing the files modified helps debug problems, and helps peolpe "have fun" by learning what's going on underneath.
(maybe YaST could dump the filename to the console, when modifying a file. Then people starting YaST from the console could see what is happening).
Postadal: What do you think, as a maintainer of the mysql, about allowing YaST Firewall to open port 3306 up (as the default one for mysql server)? How often do people need to open this port up for common usage? In my opinion, MySQL doesn't need to be network-enabled by default and doesn't need to open that port up. But that's only my experience, I've been using MySQL for more than six years without needing that. So that's why my opinions might be a bit influenced.
Note: I open the port, so I can access the DB from a windows box, via the ODBC driver. Then I can load DB tables into MS Excel, or Arcview/Christine. Adding mysql to the list of services would take all of a few seconds. Is there a reason not to?
OK, I see you really want it :) I hope this is enough (TCP 3306). This patch should go to the next SUSE Linux 10.1 Alpha version. --- cut --- Index: SuSEFirewallServices.ycp =================================================================== --- SuSEFirewallServices.ycp (revision 26076) +++ SuSEFirewallServices.ycp (working copy) @@ -199,6 +199,11 @@ "tcp_ports" : [ "pbs", "pbs_mom", "pbs_resmom", "pbs_sched" ], "udp_ports" : [ "pbs_resmom" ], ], + "mysql-server" : $[ + // TRANSLATORS: Name of Service, can be used as check box, item in multiple selection box... + "name" : _("MySQL Remote Access"), + "tcp_ports" : [ "mysql" ], + ], ]; /** --- cut --- Note: SuSEFirewallServices.ycp file is located in /usr/share/YaST2/modules/ directory and has to be compiled by command: `/usr/bin/ycpc -c SuSEFirewallServices.ycp` ycpc should be a part of yast2-core package Let's see what will others want :) ;) leaving open for other enhancement request....
Already fixed There are no other enhancement requests...