Thread: Firewalls and Postgres
Does anyone know if postgres uses any additional ports that might be blocked by a firewall? I'm setting up a data warehouse prototype using pgAccess as the front end and I'm not having too much success with firewalling. Any help is greatly appreciated. Thanks, -- Alan Carbutt Systems Administrator/Programmer Adams State College 719-587-7741 arcarbut@adams.edu
Attachment
On Wed, 2003-01-29 at 10:04, Alan Carbutt wrote: > Does anyone know if postgres uses any additional ports that might be > blocked by a firewall? I'm setting up a data warehouse prototype using > pgAccess as the front end and I'm not having too much success with > firewalling. Any help is greatly appreciated 5432 works fine with my firewall. I can not figure yet how to do ssh port forwarding on it. Any tips appreciated. Cheers Tony Grant -- www.tgds.net Library management software toolkit, redhat linux on Sony Vaio C1XD, Dreamweaver MX with Tomcat and PostgreSQL
On 29 Jan 2003, Alan Carbutt wrote: > Does anyone know if postgres uses any additional ports that might be > blocked by a firewall? I'm setting up a data warehouse prototype using > pgAccess as the front end and I'm not having too much success with > firewalling. Any help is greatly appreciated. Ok, rather vague question for something like this. Additional ports to the 5432, or whatever you've configured the server to listen on, I presume. I therefore have to assume that you've opened tcp port 5432 (or whatever) and you're seeing tcp traffic coming through and back out, in which case it's working. On the other hand it's not working so, have you open the firewall properly? Are you using ident authentification? What about other authentification/authorisation methods requiring access to external resources? Basic network monitor should help you find out what traffic your server is trying to send out, where it's getting to and what's happening to the reply packets. Having said that it helps having another system to do the monitoring with as the firewall rules can get in the way of seeing the packets you want to see in order to see what firewall rule to create :) -- Nigel Andrews
Am Mittwoch, 29. Januar 2003 22:11 schrieb Tony Grant:
> On Wed, 2003-01-29 at 10:04, Alan Carbutt wrote:
> > Does anyone know if postgres uses any additional ports that might be
> > blocked by a firewall? I'm setting up a data warehouse prototype using
> > pgAccess as the front end and I'm not having too much success with
> > firewalling. Any help is greatly appreciated
>
> 5432 works fine with my firewall.
>
> I can not figure yet how to do ssh port forwarding on it. Any tips
> appreciated.
No problems with that (at least with openssh), even through a firewall:
ssh -l my-secret-key-file -n -N \
-L 15432:other.host.com:5432 \
other.host.com </dev/null
psql -h localhost -p 15432 my_database
However,you have to keep in mind that this connection ends up on
other.host.com as a tcp/ip connection on 11.22.33.44, not on 127.0.0.1.
Might need some tweaking in postgresl.conf and pg_hba.conf.
With kind regards / mit freundlichem Gruß
Holger Klawitter
--
Holger Klawitter http://www.klawitter.de
lists@klawitter.de
On Wed, 2003-01-29 at 10:47, Holger Klawitter wrote: > > I can not figure yet how to do ssh port forwarding on it. Any tips > > appreciated. > > No problems with that (at least with openssh), even through a firewall: > > ssh -l my-secret-key-file -n -N \ > -L 15432:other.host.com:5432 \ > other.host.com </dev/null > > psql -h localhost -p 15432 my_database > > However,you have to keep in mind that this connection ends up on > other.host.com as a tcp/ip connection on 11.22.33.44, not on 127.0.0.1. > Might need some tweaking in postgresl.conf and pg_hba.conf. I thought it might be something like that. Not going to be easy with a dynamic IP... Thanks Tony -- www.tgds.net Library management software toolkit, redhat linux on Sony Vaio C1XD, Dreamweaver MX with Tomcat and PostgreSQL
On Wed, 2003-01-29 at 10:47, Holger Klawitter wrote: > ssh -l my-secret-key-file -n -N \ > -L 15432:other.host.com:5432 \ > other.host.com </dev/null > > psql -h localhost -p 15432 my_database > > However,you have to keep in mind that this connection ends up on > other.host.com as a tcp/ip connection on 11.22.33.44, not on 127.0.0.1. > Might need some tweaking in postgresl.conf and pg_hba.conf. OK the database is behind a firewall. What if I modify pg_hba.conf to let everybody access the database from anywhere? Risk is leet hax hacks his way through the firewall and does damage. If he gets through the firewall he will probably be able to break lots of other stuff than Postgres too... I really want to port forward the web application running on port 80. But the database behind the web application replies to the requests and won't serve the data to my IP. JSP is pretty good at tightening stuff like that down! Cheers Tony Grant -- www.tgds.net Library management software toolkit, redhat linux on Sony Vaio C1XD, Dreamweaver MX with Tomcat and PostgreSQL
At 05:13 PM 1/29/03 -0500, Tony Grant wrote: >ome tweaking in postgresl.conf and pg_hba.conf. > >OK the database is behind a firewall. What if I modify pg_hba.conf to >let everybody access the database from anywhere? > >Risk is leet hax hacks his way through the firewall and does damage. If >he gets through the firewall he will probably be able to break lots of >other stuff than Postgres too... How about pg_hba.conf configured to allow any IP to access. But the host postgresql is running on is configured to not allow external access postgresql port, and only allows ssh or whatever you picked to tunnel stuff in. So the only way in is via the tunnel. >I really want to port forward the web application running on port 80. >But the database behind the web application replies to the requests and >won't serve the data to my IP. JSP is pretty good at tightening stuff >like that down! I don't understand the dynamic IP part you mentioned in another post. Is your web app really on a dynamic IP on the Internet, trying to access a remote postgresql server through a firewall? Some details on your network setup could be helpful. Link.
On Wed, 2003-01-29 at 12:00, Lincoln Yeoh wrote: > I don't understand the dynamic IP part you mentioned in another post. I am on a dynamic IP. I can't put my IP number in pg_hba.conf > Is your web app really on a dynamic IP on the Internet, trying to access a > remote postgresql server through a firewall? I am tunneling through two firewalls to get to the webapp. The webapp is on an intranet. I just wanted to be able to use the webapp by port forwarding instead of tunneling an X session (mozilla running locally is a bit faster than on the distant machine). For everything else I use ssh X (pgaccess and psql run just fine that way) Cheers Tony Grant -- www.tgds.net Library management software toolkit, redhat linux on Sony Vaio C1XD, Dreamweaver MX with Tomcat and PostgreSQL
At 06:18 PM 1/29/03 -0500, Tony Grant wrote: > > Is your web app really on a dynamic IP on the Internet, trying to access a > > remote postgresql server through a firewall? > >I am tunneling through two firewalls to get to the webapp. The webapp is >on an intranet. > >I just wanted to be able to use the webapp by port forwarding instead of >tunneling an X session (mozilla running locally is a bit faster than on >the distant machine). But why would you need access to the postgresql port in this case? Webapp = http/https only right? Webapp already talks to db server directly right? You said ssh takes care of psql already. If you would be revealing confidential info to explain, then nevermind. I'm just a bit confused. Link.
On Wed, 29 Jan 2003 16:47:35 +0100 in message <200301291647.35376.lists@klawitter.de>, Holger Klawitter
<lists@klawitter.de>wrote:
> Am Mittwoch, 29. Januar 2003 22:11 schrieb Tony Grant:
> > On Wed, 2003-01-29 at 10:04, Alan Carbutt wrote:
> > > Does anyone know if postgres uses any additional ports that might be
> > > blocked by a firewall? I'm setting up a data warehouse prototype using
> > > pgAccess as the front end and I'm not having too much success with
> > > firewalling. Any help is greatly appreciated
> >
> > 5432 works fine with my firewall.
> >
> > I can not figure yet how to do ssh port forwarding on it. Any tips
> > appreciated.
>
> No problems with that (at least with openssh), even through a firewall:
>
> ssh -l my-secret-key-file -n -N \
> -L 15432:other.host.com:5432 \
> other.host.com </dev>
> psql -h localhost -p 15432 my_database
>
> However,you have to keep in mind that this connection ends up on
> other.host.com as a tcp/ip connection on 11.22.33.44, not on 127.0.0.1.
> Might need some tweaking in postgresl.conf and pg_hba.conf.
I don't think you're right here ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
on one machine:
ssh -L 15432:127.0.0.1:5432 eds (+ pw and stuff)
psql -p 15432 -h localhost
and on the other I see:
[eds:ops/logs] erics% ps ax | grep post
272 ?? S 0:01.75 /usr/local/bin/postmaster -i -D /Volumes/db/pgsql/data
313 ?? S 0:00.01 postgres: stats buffer process
314 ?? S 0:00.15 postgres: stats collector process
1363 ?? S 0:00.08 postgres: erics erics 127.0.0.1 idle
[eds:ops/logs] erics% netstat -a | grep 5432
tcp 0 0 localhost.5432 localhost.51398 ESTABLISHED
tcp 0 0 localhost.51398 localhost.5432 ESTABLISHED
tcp 0 0 *.5432 *.* LISTEN
It's pretty clearly coming in over loopback internet sockets.
eric
> I am tunneling through two firewalls to get to the webapp. The webapp is > on an intranet. > > I just wanted to be able to use the webapp by port forwarding instead of > tunneling an X session (mozilla running locally is a bit faster than on > the distant machine). > > For everything else I use ssh X (pgaccess and psql run just fine that > way) > What you probably want to do is add an entry in /etc/hosts (or run your own private dns if things get complicate) that mapsyour webapp machine name to 127.0.0.1, then ssh port forward port 80 to port 80 on that machine (by number). This foolsyour local browser is fooled into thinking that 127.0.0.1 is the webapp server. eric
Am Mittwoch, 29. Januar 2003 22:38 schrieb eric soroos:
> > However,you have to keep in mind that this connection ends up on
> > other.host.com as a tcp/ip connection on 11.22.33.44, not on 127.0.0.1.
> > Might need some tweaking in postgresl.conf and pg_hba.conf.
>
> I don't think you're right here ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well, might be that the tcp/ip enable might have been enough. In this case
Tonys problem should be non existant :-)
With kind regards / mit freundlichem Gruß
Holger Klawitter
--
Holger Klawitter http://www.klawitter.de
lists@klawitter.de
Alan:
I'm running postgres DB's behind a local network with access
controlled via a linux machine, works well, but firewall is a pretty
generic term.. Our implementation is based on a host running linux
using iptables to manage access, though you may have problems with ident,
hostssl and userid/password work fine. Ident may work if you use the same
port mapping on the point of control (firewall machine) and on the
host which servers up postgres on the local (protected) lan. If the ports
are not the same on the point of control and the protected postgres
host, ident seems to get confused and does not work..
Kenny
On Wed, Jan 29, 2003 at 08:04:01AM -0700, Alan Carbutt wrote:
> Does anyone know if postgres uses any additional ports that might be
> blocked by a firewall? I'm setting up a data warehouse prototype using
> pgAccess as the front end and I'm not having too much success with
> firewalling. Any help is greatly appreciated.
> Thanks,
> --
> Alan Carbutt
> Systems Administrator/Programmer
> Adams State College
> 719-587-7741
> arcarbut@adams.edu