Re: Patch to make postmaster bind to only to localhost. - Mailing list pgsql-patches
| From | John C. Quillan |
|---|---|
| Subject | Re: Patch to make postmaster bind to only to localhost. |
| Date | |
| Msg-id | 39BDBC5E.E18A65DF@datasoft.com Whole thread Raw |
| In response to | Re: Patch to make postmaster bind to only to localhost. (Bruce Momjian <pgman@candle.pha.pa.us>) |
| Responses |
Re: Patch to make postmaster bind to only to localhost.
|
| List | pgsql-patches |
Bruce, I might agree accept for the following. By the time the pg_hba.conf file is checked the connection is already accepted, then rejected by the rule. A outsider could easlily over-load the postmaster by making repeated connections. Also with a port scan a outside cracker can get a small peice of information about what is running on your system. The less information a cracker has the beter. With this patch both of these situitations would not be possible. Would you be more open to a more general, but more complex, patch that would allow you to select the IP's that you bind to. This would allow one to configure a system where the localhost, and an internal interface are bound, but the external interface to the internet is not. Thanks, John C. Quillan > > I am inclinded to skip this patch. We already have too many postmaster > options, and I don't think adding something that already is done in > pg_hba.conf is a big help. Sorry. > > > All, > > > > The company I work, DataSoft, for is doing a web based project > > that uses Java and the JDBC driver for postgres. Aperently the > > developers have told me that the JDBC requires the -i option on > > postmaster. The only problem is this leves a visibility to the > > outside world that we are using postmaster, or some other service. > > Now we do have the pg_hba.conf configured to allow connections > > from only that box it self, but you can never be two parinoid. > > > > The patch that is attached adds a "-L" option to postmaster, which > > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > > port is not exposed to the outside world, ie port scanners can't > > detect it, and we can run our Java code with a little more comfort. > > > > The patch is against the postgresql-7.0.2 source tree. > > > > The patch was minimally test under Linux kernel 2.2.5 using > > a RedHat 6.0 distribution. > > > > The files effected are > > postgresql-7.0.2/src/backend/libpq/pqcomm.c > > postgresql-7.0.2/src/include/libpq/libpq.h > > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > > > The patch just addes the -L option with a bool flag variable > > BindLocalOnly to postmaster.c > > > > Also the StreamServerPort function was modified to tha an extra > > bool arguement which then if true causes the socket to be bound > > to INADDR_LOOPBACK instead of INADDR_ANY. > > > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > > source tree. > > > > If there are any issues pleas let me know. > > > > Thanks, > > > > John C. Quillan > > john_quillan@datasoft.com > > [ application/x-gzip is not supported, skipping... ] > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
pgsql-patches by date: