Re: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost?
On 2/23/06, Karl Wright [EMAIL PROTECTED] wrote: I have a situation where I need postgres to LISTEN and allow BINDs to its TCP/IP port (5432) only to connections that originate from localhost. I need it to not accept *socket* connections if requests with new postgresql's (i dont know which version you are using) you can specify ip address to bind to. so you have to bind to 127.0.0.1 depesz ---(end of broadcast)--- TIP 3: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq
[GENERAL] How do I prevent binding to TCP/IP port outside of localhost?
I have a situation where I need postgres to LISTEN and allow BINDs to its TCP/IP port (5432) only to connections that originate from localhost. I need it to not accept *socket* connections if requests come in from off-box. If I try to set up pg_hba.conf such that it rejects off-box requests, it seems to do this after it permits the socket connection, and that won't do for our security geeks here. For example, here's the difference: [EMAIL PROTECTED]:~$ curl http://duck37:5432 curl: (52) Empty reply from server [EMAIL PROTECTED]:~$ curl http://duck37:5433 curl: (7) couldn't connect to host [EMAIL PROTECTED]:~$ Note that the outside world seems to be able to connect to 5432 just fine, although any *database* connections get (properly) rejected. I cannot turn off TCP/IP entirely because I have a Java application that uses JDBC. Can somebody tell me whether this is an innate capability of postgres, or whether I will need to modify the base code (and if so, WHERE I would modify it?) Thanks, Karl Wright ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost?
if its linux, use iptables to block to port. -- Original Message --- From: Karl Wright [EMAIL PROTECTED] To: pgsql-general@postgresql.org Sent: Thu, 23 Feb 2006 15:49:09 -0500 Subject: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost? I have a situation where I need postgres to LISTEN and allow BINDs to its TCP/IP port (5432) only to connections that originate from localhost. I need it to not accept *socket* connections if requests come in from off-box. If I try to set up pg_hba.conf such that it rejects off-box requests, it seems to do this after it permits the socket connection, and that won't do for our security geeks here. For example, here's the difference: [EMAIL PROTECTED]:~$ curl http://duck37:5432 curl: (52) Empty reply from server [EMAIL PROTECTED]:~$ curl http://duck37:5433 curl: (7) couldn't connect to host [EMAIL PROTECTED]:~$ Note that the outside world seems to be able to connect to 5432 just fine, although any *database* connections get (properly) rejected. I cannot turn off TCP/IP entirely because I have a Java application that uses JDBC. Can somebody tell me whether this is an innate capability of postgres, or whether I will need to modify the base code (and if so, WHERE I would modify it?) Thanks, Karl Wright ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly --- End of Original Message --- ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [GENERAL] How do I prevent binding to TCP/IP port outside of
Karl Wright wrote: I have a situation where I need postgres to LISTEN and allow BINDs to its TCP/IP port (5432) only to connections that originate from localhost. I need it to not accept *socket* connections if requests come in from off-box. If I try to set up pg_hba.conf such that it rejects off-box requests, it seems to do this after it permits the socket connection, and that won't do for our security geeks here. try listen_addresses = 'localhost' in your postgresql.conf For example, here's the difference: [EMAIL PROTECTED]:~$ curl http://duck37:5432 curl: (52) Empty reply from server [EMAIL PROTECTED]:~$ curl http://duck37:5433 curl: (7) couldn't connect to host [EMAIL PROTECTED]:~$ Note that the outside world seems to be able to connect to 5432 just fine, although any *database* connections get (properly) rejected. I cannot turn off TCP/IP entirely because I have a Java application that uses JDBC. Can somebody tell me whether this is an innate capability of postgres, or whether I will need to modify the base code (and if so, WHERE I would modify it?) Thanks, Karl Wright ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly -- - Rich Doughty ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
