Re: Firewall Security Requirements for Postgresql Access - Mailing list pgsql-general

From Tom Lane
Subject Re: Firewall Security Requirements for Postgresql Access
Date
Msg-id 5855.1094597586@sss.pgh.pa.us
Whole thread Raw
In response to Re: Firewall Security Requirements for Postgresql Access  (Gaetano Mendola <mendola@bigfoot.com>)
Responses Re: Firewall Security Requirements for Postgresql Access
List pgsql-general
Gaetano Mendola <mendola@bigfoot.com> writes:
> Randy Yates wrote:
>> Is opening up port 5432 (R/W both directions) all that is required
>> of a firewall in order to access a postgres database outside the
>> firewall?

> Yes it is.

If it's a stateful firewall (eg something doing NAT translation) you
will also want to ask hard questions about how quickly it drops idle
connections.  If the answer is "less than an hour, and you can't change
it" then you may want to think about buying a different firewall.
Else, idle database connections are likely to disappear from under your
clients.

Postgres does enable TCP "keepalive" to prevent idle connections from
dying, but most kernels only send keepalive probes every hour or so.
(The TCP RFCs actually specify how often to do this, IIRC.)  If the
firewall drops idle connections after less than the TCP keepalive interval,
you got trouble.

You can of course work around this in any number of ways, but it's
better not to use a standards-challenged firewall in the first place.

            regards, tom lane

pgsql-general by date:

Previous
From: Ben
Date:
Subject: Re: Firewall Security Requirements for Postgresql Access
Next
From: Greg Stark
Date:
Subject: Re: Firewall Security Requirements for Postgresql Access