Re: [Shorewall-users] Security question around MySQL Replication

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> -----------Bill Shirley---------------------
> Il 2017-09-11 19:01 Bill Shirley ha scritto:
> Both are good suggestions: block all IP addresses at the firewall
> except your slave,
> configure MySQL SSL.  See:
> 
> https://www.mail-archive.com/sho...@li.../msg20502.html
>
> Of course, you'll have to create the certificates and tweak the 
> values in the
> CHANGE MASTER.
>
> Bill
> [..]
> -----------Phil Stracchino-------------------
> If your replication traffic goes outside your firewall, consider
> requiring SSL on the replication connection.  You will have to 
> configure
> this on both the master and the slave.
>

Thanks Bill and Phil you're perfectly right, in fact I have already 
configured (initially) both the SSL connection and the SSL user!

>> -----------Dominic Benson-------------------
>> [..]
>> If you haven't already (not sure from the wording of your original 
>> post)
>> you should also restrict the rule to just the source IP of the 
>> replica,
>> otherwise you're bound to get a lot of attempts to break in to the 
>> database.

I have not thought about this, the following example (my servers are 
directly connected to the net) could go?

# http://www.shorewall.net/manpages/shorewall-rules.html
#
####################################################################################################################################################
#ACTION        SOURCE        DEST        PROTO    DEST    SOURCE        
ORIGINAL    RATE        USER/    MARK    CONNLIMIT    TIME
#                            PORT    PORT(S)        DEST        LIMIT   
     GROUP
ACCEPT    net:1.2.3.4    fw    tcp        3306

many many thanks to all!

Davide