| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "Richard Zimmerman" <Richard(at)knbpower(dot)com> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: Couple of PostgreSQL Questions |
| Date: | 2001-04-05 17:12:45 |
| Message-ID: | 22254.986490765@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
"Richard Zimmerman" <Richard(at)knbpower(dot)com> writes:
> My Linux system serves as the "Internet" server in my office and also
> hosts the PostgreSQL database. I want to "hide" PostgreSQL from my external
> network card (eth1).
> eth0 = 192.168.0.2 (Internal)
> eth1 = 63.110.172.162 (external)
In 7.1 it is possible to tell the postmaster to bind its socket to only
one IP address, rather than all the machine's IP addresses. That should
solve your problem. However, I don't really think you need to worry
all that much, given that you have pg_hba.conf set up not to accept
connections from anyplace except local addresses.
> local all trust
> host all 63.110.172.162 255.255.255.255 reject
> host all 127.0.0.1 255.255.255.255 crypt
> host all 192.168.0.0 255.255.255.0 crypt
That "reject" line is pretty much a waste of time, because it only
rejects connections that originate from your own machine; the comparison
is against the client address not the server address. The important
thing for security is that you're not accepting connections from just
any old IP address, but only the ones on your local LAN. So, even
though an outside port-scanner might be able to see your port
responding, he's not going to get in.
But, having said that, a firewall rule to drop outside-to-5432 packets
entirely is also a good idea.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shaw Terwilliger | 2001-04-05 18:08:47 | Database Name Case Sensitivity |
| Previous Message | Tom Lane | 2001-04-05 16:09:30 | Re: Postmaster hangs until Ctrl-C |