Re: How do I prevent binding to TCP/IP port outside of localhost?

if its linux, use iptables to block to port.

---------- Original Message -----------
From: Karl Wright <kwright(at)metacarta(dot)com>
To: pgsql-general(at)postgresql(dot)org
Sent: Thu, 23 Feb 2006 15:49:09 -0500
Subject: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost?

> I have a situation where I need postgres to LISTEN and allow BINDs to
> its TCP/IP port (5432) only to connections that originate from
> localhost. I need it to not accept *socket* connections if requests
> come in from off-box. If I try to set up pg_hba.conf such that it
> rejects off-box requests, it seems to do this after it permits the
> socket connection, and that won't do for our security geeks here.
>
> For example, here's the difference:
>
> kwright(at)merrimack:~$ curl http://duck37:5432
> curl: (52) Empty reply from server
> kwright(at)merrimack:~$ curl http://duck37:5433
> curl: (7) couldn't connect to host
> kwright(at)merrimack:~$
>
> Note that the outside world seems to be able to connect to 5432 just
> fine, although any *database* connections get (properly) rejected.
>
> I cannot turn off TCP/IP entirely because I have a Java application that
> uses JDBC.
>
> Can somebody tell me whether this is an innate capability of postgres,
> or whether I will need to modify the base code (and if so, WHERE I would
> modify it?)
>
> Thanks,
> Karl Wright
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
------- End of Original Message -------