Thread: How do I prevent binding to TCP/IP port outside of localhost?
I have a situation where I need postgres to LISTEN and allow BINDs to its TCP/IP port (5432) only to connections that originate from localhost. I need it to not accept *socket* connections if requests come in from off-box. If I try to set up pg_hba.conf such that it rejects off-box requests, it seems to do this after it permits the socket connection, and that won't do for our security geeks here. For example, here's the difference: kwright@merrimack:~$ curl http://duck37:5432 curl: (52) Empty reply from server kwright@merrimack:~$ curl http://duck37:5433 curl: (7) couldn't connect to host kwright@merrimack:~$ Note that the outside world seems to be able to connect to 5432 just fine, although any *database* connections get (properly) rejected. I cannot turn off TCP/IP entirely because I have a Java application that uses JDBC. Can somebody tell me whether this is an innate capability of postgres, or whether I will need to modify the base code (and if so, WHERE I would modify it?) Thanks, Karl Wright
if its linux, use iptables to block to port. ---------- Original Message ----------- From: Karl Wright <kwright@metacarta.com> To: pgsql-general@postgresql.org Sent: Thu, 23 Feb 2006 15:49:09 -0500 Subject: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost? > I have a situation where I need postgres to LISTEN and allow BINDs to > its TCP/IP port (5432) only to connections that originate from > localhost. I need it to not accept *socket* connections if requests > come in from off-box. If I try to set up pg_hba.conf such that it > rejects off-box requests, it seems to do this after it permits the > socket connection, and that won't do for our security geeks here. > > For example, here's the difference: > > kwright@merrimack:~$ curl http://duck37:5432 > curl: (52) Empty reply from server > kwright@merrimack:~$ curl http://duck37:5433 > curl: (7) couldn't connect to host > kwright@merrimack:~$ > > Note that the outside world seems to be able to connect to 5432 just > fine, although any *database* connections get (properly) rejected. > > I cannot turn off TCP/IP entirely because I have a Java application that > uses JDBC. > > Can somebody tell me whether this is an innate capability of postgres, > or whether I will need to modify the base code (and if so, WHERE I would > modify it?) > > Thanks, > Karl Wright > > ---------------------------(end of broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly ------- End of Original Message -------
Karl Wright wrote: > I have a situation where I need postgres to LISTEN and allow BINDs to > its TCP/IP port (5432) only to connections that originate from > localhost. I need it to not accept *socket* connections if requests > come in from off-box. If I try to set up pg_hba.conf such that it > rejects off-box requests, it seems to do this after it permits the > socket connection, and that won't do for our security geeks here. try listen_addresses = 'localhost' in your postgresql.conf > > For example, here's the difference: > > kwright@merrimack:~$ curl http://duck37:5432 > curl: (52) Empty reply from server > kwright@merrimack:~$ curl http://duck37:5433 > curl: (7) couldn't connect to host > kwright@merrimack:~$ > > Note that the outside world seems to be able to connect to 5432 just > fine, although any *database* connections get (properly) rejected. > > I cannot turn off TCP/IP entirely because I have a Java application that > uses JDBC. > > Can somebody tell me whether this is an innate capability of postgres, > or whether I will need to modify the base code (and if so, WHERE I would > modify it?) > > Thanks, > Karl Wright > > > ---------------------------(end of broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly > -- - Rich Doughty
Re: How do I prevent binding to TCP/IP port outside of localhost?
From
"hubert depesz lubaczewski"
Date:
On 2/23/06, Karl Wright <kwright@metacarta.com> wrote: > I have a situation where I need postgres to LISTEN and allow BINDs to > its TCP/IP port (5432) only to connections that originate from > localhost. I need it to not accept *socket* connections if requests with new postgresql's (i dont know which version you are using) you can specify ip address to bind to. so you have to bind to 127.0.0.1 depesz