Thread: How do I prevent binding to TCP/IP port outside of localhost?

How do I prevent binding to TCP/IP port outside of localhost?

From
Karl Wright
Date:
I have a situation where I need postgres to LISTEN and allow BINDs to
its TCP/IP port (5432) only to connections that originate from
localhost.  I need it to not accept *socket* connections if requests
come in from off-box.  If I try to set up pg_hba.conf such that it
rejects off-box requests, it seems to do this after it permits the
socket connection, and that won't do for our security geeks here.

For example, here's the difference:

kwright@merrimack:~$ curl http://duck37:5432
curl: (52) Empty reply from server
kwright@merrimack:~$ curl http://duck37:5433
curl: (7) couldn't connect to host
kwright@merrimack:~$

Note that the outside world seems to be able to connect to 5432 just
fine, although any *database* connections get (properly) rejected.

I cannot turn off TCP/IP entirely because I have a Java application that
uses JDBC.

Can somebody tell me whether this is an innate capability of postgres,
or whether I will need to modify the base code (and if so, WHERE I would
modify it?)

Thanks,
Karl Wright


Re: How do I prevent binding to TCP/IP port outside of localhost?

From
"Jim Buttafuoco"
Date:
if its linux, use iptables to block to port.

---------- Original Message -----------
From: Karl Wright <kwright@metacarta.com>
To: pgsql-general@postgresql.org
Sent: Thu, 23 Feb 2006 15:49:09 -0500
Subject: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost?

> I have a situation where I need postgres to LISTEN and allow BINDs to
> its TCP/IP port (5432) only to connections that originate from
> localhost.  I need it to not accept *socket* connections if requests
> come in from off-box.  If I try to set up pg_hba.conf such that it
> rejects off-box requests, it seems to do this after it permits the
> socket connection, and that won't do for our security geeks here.
>
> For example, here's the difference:
>
> kwright@merrimack:~$ curl http://duck37:5432
> curl: (52) Empty reply from server
> kwright@merrimack:~$ curl http://duck37:5433
> curl: (7) couldn't connect to host
> kwright@merrimack:~$
>
> Note that the outside world seems to be able to connect to 5432 just
> fine, although any *database* connections get (properly) rejected.
>
> I cannot turn off TCP/IP entirely because I have a Java application that
> uses JDBC.
>
> Can somebody tell me whether this is an innate capability of postgres,
> or whether I will need to modify the base code (and if so, WHERE I would
> modify it?)
>
> Thanks,
> Karl Wright
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
>        subscribe-nomail command to majordomo@postgresql.org so that your
>        message can get through to the mailing list cleanly
------- End of Original Message -------


Re: How do I prevent binding to TCP/IP port outside of

From
Rich Doughty
Date:
Karl Wright wrote:
> I have a situation where I need postgres to LISTEN and allow BINDs to
> its TCP/IP port (5432) only to connections that originate from
> localhost.  I need it to not accept *socket* connections if requests
> come in from off-box.  If I try to set up pg_hba.conf such that it
> rejects off-box requests, it seems to do this after it permits the
> socket connection, and that won't do for our security geeks here.

try listen_addresses = 'localhost' in your postgresql.conf

>
> For example, here's the difference:
>
> kwright@merrimack:~$ curl http://duck37:5432
> curl: (52) Empty reply from server
> kwright@merrimack:~$ curl http://duck37:5433
> curl: (7) couldn't connect to host
> kwright@merrimack:~$
>
> Note that the outside world seems to be able to connect to 5432 just
> fine, although any *database* connections get (properly) rejected.
>
> I cannot turn off TCP/IP entirely because I have a Java application that
> uses JDBC.
>
> Can somebody tell me whether this is an innate capability of postgres,
> or whether I will need to modify the base code (and if so, WHERE I would
> modify it?)
>
> Thanks,
> Karl Wright
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
>       subscribe-nomail command to majordomo@postgresql.org so that your
>       message can get through to the mailing list cleanly
>


--

   - Rich Doughty

Re: How do I prevent binding to TCP/IP port outside of localhost?

From
"hubert depesz lubaczewski"
Date:
On 2/23/06, Karl Wright <kwright@metacarta.com> wrote:
> I have a situation where I need postgres to LISTEN and allow BINDs to
> its TCP/IP port (5432) only to connections that originate from
> localhost.  I need it to not accept *socket* connections if requests

with new postgresql's (i dont know which version you are using) you
can specify ip address to bind to. so you have to bind to 127.0.0.1

depesz