Prevent Services from Binding to an Interface
Keep services from listening on a port instead of firewalling them.
Sometimes you might want to
limit a service to listen on only a specific interface. For instance,
Apache
[Hack #50]
can be
configured to listen on a specific
interface as opposed to all available interfaces. You can do this by
using the Listen directive in your configuration
file and specifying the IP address of the interface:
Listen 192.168.0.23:80
If you use VirtualHost entries, you can specify interfaces to bind to on a per-virtual-host basis:
<VirtualHost 192.168.0.23> ... </VirtualHost>
You may even have services that are listening on a TCP port but
don’t need to be. Database servers such as
MySQL are often used in
conjunction with Apache, and are frequently set up to coexist on the
same server when used in this way. Connections that come from the
same machine that MySQL is installed on use a domain socket in the
filesystem for communications. Therefore, you don’t
need to have MySQL listening on a TCP socket. To do this, you can
either use the --skip-networking command-line
option when starting MySQL or specify it in the
[mysqld] section of your
my.cnf file:
[mysqld] ... skip-networking ...
Another program that you’ll often find listening on a port is your X11 server, which listens on TCP port 6000 by default. This port is traditionally used to enable remote clients to connect to your X11 server so they can draw their windows and accept keyboard and mouse input; however, ...