Details
In the setup, we have the MySQL instance in a separate remote server from the Phabricator front-end instance, and we are trying to do our due diligence to lock down the system to the necessary ports required inside the front-end server and the mysql server so that phabricator can still work without opening the entire system for the world to see. From what i can see when doing a netstat command, the aphront interfaces which uses the mysqli|mysql interface to communicate is opening up a ton of outgoing connection to port 3306 on MySQL server. My question is, how do i config it so that I can restrict the range of the outgoing ports? Would that be somewhere in the php.ini configuration? As you can see from the snippet below that Local outgoing ports from the phabricator front-end server connecting to the remote database server port is all over the place ranging from 20xxx-60xxxx that i have seen.
netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 fm1phabs01.amr.co:38303 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:54270 fm1phabmdbs01.amr:mysql ESTABLISHED tcp 0 0 fm1phabs01.amr.co:38388 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38381 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38395 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38371 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38399 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38355 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38396 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38374 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38329 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38367 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38377 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38372 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38382 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38412 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38356 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38328 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38331 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38310 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38363 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38335 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38273 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38389 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38398 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38323 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38383 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38364 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38368 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38375 fm1phabmdbs01.amr:mysql TIME_WAIT tcp 0 0 fm1phabs01.amr.co:38300 fm1phabmdbs01.amr:mysql TIME_WAIT
Answers
You should probably ask that on Serverfault.
AFAIK, outgoing ports are not commonly restricted, so it might be hard to achieve.