Question Port Bind to Localhost or Blocked by Host Software Firewall

[WebHostingAce]

Hi Everyone,

Which is more safer?

Port Bind to Localhost or Blocked by Software Firewall?

Please add your thoughts.

Thank you.

 

[Monty]

I'd vote for both.
First, ask yourself if the service you're going to use should be reachable from the public internet. If not, then bind the service to localhost. Additionally, your firewall should be configured to drop all connections by default (iptables default policy "DROP") and only allow those ports that should be publicly reachable (like HTTP/HTTPS) or restricted to your admin IPs (like SSH).

For example, if you don't want to provide access to MySQL from the outside world, then bind the service to localhost _and_ make sure no firewall rule permits connections to port 3306 from the public internet. That way you'll have 2 layers of security: If somebody by accident turns off or misconfigures your firewall then the service would still be unreachable to the public network. The same is true if you by accident bind the service to 0.0.0.0 instead of 127.0.0.1, in that case the firewall would make sure nobody can connect.

 

[WebHostingAce]

Thank you @Monty!

Let's say in my Firewall Port 3306 is Open and I'm not able to block it.

If I bind MySQL Port 3306 to Localhost, Would it be as safe as Blocking via Firewall?

 

[Monty]

Yes, as long as mysql stays on 127.0.0.1. Just consider the fact that a package update or configuration change might change the binding to 0.0.0.0 inadvertently, which would expose your MySQL to the public network. So check frequently and/or block the port on the firewall to have an additional layer of security