Thread: open up firewall from "anywhere" to postgres ports?
Hi, I have a very basic issue that i'd like to discuss I have just recieved a newly installed database server. I'm wondering if i should open up the ports to my two clusters 5432 and 5433 from "Anywhere"? As an alternative, i could add each ip address both in the firewall and the pg_hba.conf. I feel that it's a stupid question, since there is pg_hba, which already does this work. Yet all the people that i know, do it in the firewall AND the pg_hba.conf. Is there any potential danger in opening up the firewall for those ports?? cheers, WBL -- "Patriotism is the conviction that your country is superior to all others because you were born in it." -- George Bernard Shaw
Willy-Bas Loos <willybas@gmail.com> writes: > I'm wondering if i should open up the ports to my two clusters 5432 > and 5433 from "Anywhere"? No, not unless you'd like to take the risk of anyone on the internet poking into your databases. > I feel that it's a stupid question, since there is pg_hba, which > already does this work. Well, even if you trust pg_hba.conf to block unwanted connections, someone could still mount a DOS attack by flooding your postmaster with connection requests. It takes a significant number of cycles to reject a request on the basis of pg_hba.conf. regards, tom lane
On Saturday 07 March 2009 1:27:02 pm Willy-Bas Loos wrote: > Hi, > > I have a very basic issue that i'd like to discuss > I have just recieved a newly installed database server. > I'm wondering if i should open up the ports to my two clusters 5432 > and 5433 from "Anywhere"? > As an alternative, i could add each ip address both in the firewall > and the pg_hba.conf. > > I feel that it's a stupid question, since there is pg_hba, which > already does this work. > Yet all the people that i know, do it in the firewall AND the pg_hba.conf. > > Is there any potential danger in opening up the firewall for those ports?? > > cheers, > > WBL > > -- I may be misunderstanding but if you don't allow access to ports 5432 and 5433 in the firewall the packets will never get to the point that the rules in pg_hba.conf apply. Also are you running two instances of Postgres listening on different ports? Just trying to figure where the 5433 comes from. -- Adrian Klaver aklaver@comcast.net
Hi, Tom, thanks! I'll take that advise. > but if you don't allow access to ports 5432 and 5433 > in the firewall the packets will never get to ... Adrian, i was talking about opening up the firewall for "the world" to my postgres ports, instead of granting access to individual ip addresses. Cheers! WBL -- "Patriotism is the conviction that your country is superior to all others because you were born in it." -- George Bernard Shaw
Adrian Klaver wrote: >> but if you don't allow access to ports 5432 and 5433 >> in the firewall the packets will never get to the point that the rules in >> pg_hba.conf apply. Willy-Bas Loos wrote: > Adrian, i [sic] was talking about opening up the firewall for "the world" to > my postgres ports, instead of granting access to individual ip > addresses. His answer took that into account. There is a difference visible to the "outside" between rejection at the firewall and rejection by Postgres's own security. >> Also are you running two instances of Postgres listening on >> different ports? Just trying to figure where the 5433 comes from. Inquiring minds want to know the answer to this (these) question(s). In general, and there can be use cases for different tactics, it is better to firewall the DB port(s) and allow access only from inside the firewall, usually with a mediating application to vet the access. There certainly are dangers to letting the world in to your network. There are a lot of ways to mitigate the risk. A firewall blockade in conjunction with pg_hba.conf rules is one standard, relatively simple and fairly effective tactic. -- Lew