Re: Different Port for PostgreSQL?

From: "Nigel J(dot) Andrews" <nandrews(at)investsystems(dot)co(dot)uk>
To: dan radom <dan(at)radom(dot)org>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Different Port for PostgreSQL?
Date: 2002-09-23 19:03:17
Message-ID: Pine.LNX.4.21.0209231948340.816-100000@ponder.fairway2k.co.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Ones got to question why you'd have the PostgreSQL port completely open on the
external interface at all. You must know the IP address(es) of the external web
servers so just enable traffic for them.

As for doing the reject message:
1) if you haven't got a listener on a port the kernel's going to reject the
connection attempt pretty quickly
2) wrap your DB starting and stopping commands with iptable manipulation to
enable/disable the web server's traffic as appropiate

On the whole the best solution is Dan's response. You'd manipulate the firewall
rules separately to the DB scripts of course but then if you're starting and
stopping the DB I see no reason to not require manual intervention in the
firewall.

--
Nigel J. Andrews

On Mon, 23 Sep 2002, dan radom wrote:

> wouldn't it make sense to use a lower end system as your iptables gw / fw? i mean hardware is cheap, and iptables has no problems forwarding web traffic to a httpd on the iternal network that where postgres lives. why even open the database up to the general internet population when the httpd only needs to talk to it.
>
> dan
>
> * Dan Ostrowski (dan(at)triad-dev(dot)com) wrote:
> > Hello all...
> >
> > I am developing a databasing system that will be used localy, but in tandem with a hosted web server.
> >
> > As such, I will be implementing a local PostgreSQL server and connecting it to the internet. However, this machine ( unfortunately ) will probably also have to run the firewall as well, but that's all it will be more than likely.. database and firewall.
> >
> > Ideally, I would be able to send a "REJECT" message ( via iptables ) if the connection is refused because the Database is down or somesuch, instead of just "DROP"ing the connection. This would speed up things for the web scripts when the DB is unreachable locally. However, port scans will then be able to easily figure out that I am running PostgreSQL on the standard port, presumably.
> >
> > Is there a way to run Postgre on some other non-standard port? Does it do well in this regard? How would i go about doing that?
> >
> > I know it won't "hack proof" anything really, just make it a bit more confusing for anyone doing port scans on my machine.
> >
> > ideas?
> >
> >
> > regards,
> > dan
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: subscribe and unsubscribe commands go to majordomo(at)postgresql(dot)org
>

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Weaver, Walt 2002-09-23 19:04:36 Speaking of dblink
Previous Message Manfred Koizar 2002-09-23 19:02:00 Re: [SQL] CURRENT_TIMESTAMP