[GENERAL] access and security
Hi all, please forgive a (likely) less than clever question. Are the barriers provided by pg_hba.conf enough from a security standpoint, or is it best to put up some iptable rules duplicating the restrictions? Andy ---(end of broadcast)--- TIP 2: Don't 'kill -9' the postmaster
Re: [GENERAL] access and security
am Mon, dem 30.10.2006, um 13:34:34 +0100 mailte Andrew Kelly folgendes: Hi all, please forgive a (likely) less than clever question. Are the barriers provided by pg_hba.conf enough from a security standpoint, or is it best to put up some iptable rules duplicating the restrictions? Of cource, you can define rules for iptables to prevent access to your database. But consider, this rules obtain for the entire database-cluster. With pg_hba.conf you can define different permissions for different databases. If you need this, than you can't use iptables for this. Andreas -- Andreas Kretschmer Kontakt: Heynitz: 035242/47215, D1: 0160/7141639 (mehr: - Header) GnuPG-ID: 0x3FFF606C, privat 0x7F4584DA http://wwwkeys.de.pgp.net ---(end of broadcast)--- TIP 1: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly
Re: [GENERAL] access and security
On Mon, Oct 30, 2006 at 01:34:34PM +0100, Andrew Kelly wrote: Hi all, please forgive a (likely) less than clever question. Are the barriers provided by pg_hba.conf enough from a security standpoint, or is it best to put up some iptable rules duplicating the restrictions? iptables covers the entire server, whereas pg_hba.conf cancontrol per database. Think of it as layers. If you know only two other machines will ever access this server, you can use iptables to enforce this. From those two machines, you than use pg_hba.conf to fine-tune the access controls. Have a nice day, -- Martijn van Oosterhout kleptog@svana.org http://svana.org/kleptog/ From each according to his ability. To each according to his ability to litigate. signature.asc Description: Digital signature
Re: [GENERAL] access and security
On Mon, 2006-10-30 at 15:36 +0100, Martijn van Oosterhout wrote: On Mon, Oct 30, 2006 at 01:34:34PM +0100, Andrew Kelly wrote: Hi all, please forgive a (likely) less than clever question. Are the barriers provided by pg_hba.conf enough from a security standpoint, or is it best to put up some iptable rules duplicating the restrictions? iptables covers the entire server, whereas pg_hba.conf cancontrol per database. Think of it as layers. If you know only two other machines will ever access this server, you can use iptables to enforce this. From those two machines, you than use pg_hba.conf to fine-tune the access controls. Have a nice day, Thanks, Martijn, und danke Andreas. This is what I figured; appreciate the confirmation. Andy ---(end of broadcast)--- TIP 6: explain analyze is your friend