MySQL Port Reference  /  Introduction

1 Introduction

The number of ports used by MySQL depends on features that are enabled, the components used, how applications connect, and other aspects of your environment.

From a security perspective, ports should only be opened as required to permit system components to communicate. Always practice the principle of least privilege when managing ports, which requires that users, processes, programs, and other system components only have access to information and resources that are required for their legitimate purpose.

How port access is managed depends on different aspects of your environment such as operating system capabilities, firewalls, security tools, use of virtual private networking (VPN), and so on. Some MySQL installation packages assist with port access configuration for core MySQL ports. For example, the MySQL Installer Server package for Windows adds access rules to the Windows firewall, and MySQL for Linux packages add access rules to SELinux or AppArmor. However, MySQL does not assist with less common, optional, or non-MySQL product ports. In these cases, ports must be opened manually with commands such as this one for SELinux:

$> semanage port -a -t mysqld_port_t -p tcp <port_open_to_mysqld>

For more information about setting the SELinux port context for MySQL, see SELinux TCP Port Context.

Some MySQL features use TCP ports that fall within the allowed local port range on Linux systems (32768 - 61000). For example, the default MySQL X Protocol port is 33060, and the default MySQL Administrative Connection Port is 33062. To avoid port conflicts with other applications, consider configuring the ip_local_port_range parameter to limit the range of ports available for automatic port assignment, or configure the ip_local_reserved_ports parameter to reserve ports used by MySQL. To check your current ip_local_port_range and ip_local_reserved_ports configurations:

$ cat /proc/sys/net/ipv4/ip_local_port_range
$ cat /proc/sys/net/ipv4/ip_local_reserved_ports

For ip_local_port_range and ip_local_reserved_ports configuration instructions, refer to your distribution documentation.