By default mysql is available on the green interface, I don’t see the necessity in that, I allways disable that when not making mysql available to clients other than local.
I agree… mysql SHOULD be available (only on GREEN) only if needed
MySQL is open to local network to ease connections from third party applications.
This saved us a LOT of support calls and tickets!
But we could change the default for NS 7.
Any one else would like a different default?
What is the upstream default?
Upstream listens to all interfaces, but the firewall is not open.
The use cases seem to be
- VPS, where green is Internet => MySQL must be closed
- Server in LAN => MySQL could be open for third-party apps
It’s hard to decide …I think the most conservative and upstream-compliant setup should be the default.
let it be closed as a default, and give a UI to enable it on the lan
The UI is already there, and - I agree with you - the default should be changed to closed.
if so is just trivial
close it, and document it… you’re done
A wise man once said: “Nobody reads the documentation!” but ok, let’s go with a closed default for NS 7:
@fasttech sounds good?
I respect you, you’re a young but good guy…and yes, you’re right, no one read the documentation
anyway, if you document it and people will ask “why this is not working?” you’ll can always answer “Please, RTFM” (and I’m not sure that F stands for Fine )
Sorry guys but I tend to disagree with you, why do we use trusted networks and close ports afterwards?
In my experience as @giacomo already said people expect that mysql is open for trusted networks to ease connections from third party applications. Why should we close this port by default?
EDIT: if I remember correctly. it was closed in the past releases, we have opened it after many complaints by users
I understand LAN users want MySQL always available. I think the point is how NethServer is deployed on VPS: same green configuration! Perhaps we need a different approach to accomodate both use cases…
You’re right, but previously this was done using the LocalNetworkingOnly which can’t be edited from the web interface.
With the proposed modification, the user will have only to access the network services page and change the access type for mysql.
I feel that there’s no longer a such thing as a trusted network anymore.
Because one can install owncloud or other db dependent services without installing the firewall, I just feel that inexperienced users are better served to be inconvenienced by figuring out how to make their db available to other clients than to have their server open to the admittedly rare instance that something is lying in wait on their ‘trusted’ network. It’s awesome that we run the secure script against a new mysql install, closing test account etc, I ran a basic Nessus scan against ns7 with oC and mysql available on green from which it was scanned and it came back without trigger, but still…
I feel that anyone running a server has a responsibility to a least try to ensure their server isn’t going to be serving nefarious purposes other than their own, and if they’re making a db available to other than localhost then they should have an idea of what their doing.
From a vps standpoint I would be inclined to have more closed by default, basically all but http and https… like ntp, slapd, I just don’t make that available unless I need it.