Cluster (on lan) : MySQL security


We use the iworx cluster. For this we have set up this cluster on a lan (switch Gb, eth1).
For example, the cluster manager has the IP and the node
It means that MySQL request go through this lan via the port 3306. So APF has a rule to allow all incoming traffic on port 3306 (eth0) and eth1 is not monitored by APF (all traffic is OK)

Interworx set by default the authority % to every new database/mysql user
This means that everybody can access from outside to the mysql server.

What we wanted to do is :

  • Remove the 3306 port from the “open and listen” APF port (Ingress)
  • Allow ALL traffic from/to ETH1

This way all MySQL traffic is allowed through ETH1 (lan) but MySQL traffic from OUTSIDE on port 3306 would be denied !

This solution would be much more secure :slight_smile:

But is it possible ? I think Interworx looks for the port 3306 to see if MySQL is ON ?
If it is right it means that we can’t do this !?
Is there others solutions ? Interworx couldn’t set on a cluster, by default, all the nodes rather than % ?

What do you think ? any idea ?