Thread: Patch to make postmaster bind to only to localhost.
All, The company I work, DataSoft, for is doing a web based project that uses Java and the JDBC driver for postgres. Aperently the developers have told me that the JDBC requires the -i option on postmaster. The only problem is this leves a visibility to the outside world that we are using postmaster, or some other service. Now we do have the pg_hba.conf configured to allow connections from only that box it self, but you can never be two parinoid. The patch that is attached adds a "-L" option to postmaster, which tells postmaster to bind only to 127.0.0.1 or localhost. Now this port is not exposed to the outside world, ie port scanners can't detect it, and we can run our Java code with a little more comfort. The patch is against the postgresql-7.0.2 source tree. The patch was minimally test under Linux kernel 2.2.5 using a RedHat 6.0 distribution. The files effected are postgresql-7.0.2/src/backend/libpq/pqcomm.c postgresql-7.0.2/src/include/libpq/libpq.h postgresql-7.0.2/src/backend/postmaster/postmaster.c The patch just addes the -L option with a bool flag variable BindLocalOnly to postmaster.c Also the StreamServerPort function was modified to tha an extra bool arguement which then if true causes the socket to be bound to INADDR_LOOPBACK instead of INADDR_ANY. The patch is just a tar.gz file that extracts over the postgresql-7.0.2 source tree. If there are any issues pleas let me know. Thanks, John C. Quillan john_quillan@datasoft.com
Attachment
On Sun, 10 Sep 2000, John C. Quillan wrote:
> The company I work, DataSoft, for is doing a web based project
> that uses Java and the JDBC driver for postgres. Aperently the
> developers have told me that the JDBC requires the -i option on
> postmaster. The only problem is this leves a visibility to the
> outside world that we are using postmaster, or some other service.
> Now we do have the pg_hba.conf configured to allow connections
> from only that box it self, but you can never be two parinoid.
The following might also do the trick, btw...
/sbin/ipchains -A input -j REJECT -p tcp -d put.your.ip.here 5432 -i eth0 -l
.. add lines for all other interfaces you want to block ...
This causes any TCP connections to port 5432 on that IP address/interface
to be rejected with a connection refused.
I've used this for years on my box, and only ever gotten 2 attempted
connects.
Don't take me wrong - I would like to see some kind of abillity to
selectively bind to certain IP's - configfile a'la httpd.conf.
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
I am inclinded to skip this patch. We already have too many postmaster options, and I don't think adding something that already is done in pg_hba.conf is a big help. Sorry. > All, > > The company I work, DataSoft, for is doing a web based project > that uses Java and the JDBC driver for postgres. Aperently the > developers have told me that the JDBC requires the -i option on > postmaster. The only problem is this leves a visibility to the > outside world that we are using postmaster, or some other service. > Now we do have the pg_hba.conf configured to allow connections > from only that box it self, but you can never be two parinoid. > > The patch that is attached adds a "-L" option to postmaster, which > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > port is not exposed to the outside world, ie port scanners can't > detect it, and we can run our Java code with a little more comfort. > > The patch is against the postgresql-7.0.2 source tree. > > The patch was minimally test under Linux kernel 2.2.5 using > a RedHat 6.0 distribution. > > The files effected are > postgresql-7.0.2/src/backend/libpq/pqcomm.c > postgresql-7.0.2/src/include/libpq/libpq.h > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > The patch just addes the -L option with a bool flag variable > BindLocalOnly to postmaster.c > > Also the StreamServerPort function was modified to tha an extra > bool arguement which then if true causes the socket to be bound > to INADDR_LOOPBACK instead of INADDR_ANY. > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > source tree. > > If there are any issues pleas let me know. > > Thanks, > > John C. Quillan > john_quillan@datasoft.com [ application/x-gzip is not supported, skipping... ] -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Bruce, I might agree accept for the following. By the time the pg_hba.conf file is checked the connection is already accepted, then rejected by the rule. A outsider could easlily over-load the postmaster by making repeated connections. Also with a port scan a outside cracker can get a small peice of information about what is running on your system. The less information a cracker has the beter. With this patch both of these situitations would not be possible. Would you be more open to a more general, but more complex, patch that would allow you to select the IP's that you bind to. This would allow one to configure a system where the localhost, and an internal interface are bound, but the external interface to the internet is not. Thanks, John C. Quillan > > I am inclinded to skip this patch. We already have too many postmaster > options, and I don't think adding something that already is done in > pg_hba.conf is a big help. Sorry. > > > All, > > > > The company I work, DataSoft, for is doing a web based project > > that uses Java and the JDBC driver for postgres. Aperently the > > developers have told me that the JDBC requires the -i option on > > postmaster. The only problem is this leves a visibility to the > > outside world that we are using postmaster, or some other service. > > Now we do have the pg_hba.conf configured to allow connections > > from only that box it self, but you can never be two parinoid. > > > > The patch that is attached adds a "-L" option to postmaster, which > > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > > port is not exposed to the outside world, ie port scanners can't > > detect it, and we can run our Java code with a little more comfort. > > > > The patch is against the postgresql-7.0.2 source tree. > > > > The patch was minimally test under Linux kernel 2.2.5 using > > a RedHat 6.0 distribution. > > > > The files effected are > > postgresql-7.0.2/src/backend/libpq/pqcomm.c > > postgresql-7.0.2/src/include/libpq/libpq.h > > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > > > The patch just addes the -L option with a bool flag variable > > BindLocalOnly to postmaster.c > > > > Also the StreamServerPort function was modified to tha an extra > > bool arguement which then if true causes the socket to be bound > > to INADDR_LOOPBACK instead of INADDR_ANY. > > > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > > source tree. > > > > If there are any issues pleas let me know. > > > > Thanks, > > > > John C. Quillan > > john_quillan@datasoft.com > > [ application/x-gzip is not supported, skipping... ] > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Well, we do reject quite early. For example, we do not start a backend to check if the connection should be received, so it seems like we a really are not open to any more DOS attack than telnetd or other servers. Is that a fair statement? I would need to hear someone else who feels strongly about this before adding additional options to the postmaster. > Bruce, > > I might agree accept for the following. By the time the pg_hba.conf > file is checked the connection is already accepted, then rejected > by the rule. A outsider could easlily over-load the postmaster by > making repeated connections. > > Also with a port scan a outside cracker can get a small peice of > information about what is running on your system. The less information > a cracker has the beter. > > With this patch both of these situitations would not be possible. > > Would you be more open to a more general, but more complex, patch that > would allow you to select the IP's that you bind to. This would allow > one to configure a system where the localhost, and an internal interface > are bound, but the external interface to the internet is not. > > Thanks, > > John C. Quillan > > > > I am inclinded to skip this patch. We already have too many postmaster > > options, and I don't think adding something that already is done in > > pg_hba.conf is a big help. Sorry. > > > > > All, > > > > > > The company I work, DataSoft, for is doing a web based project > > > that uses Java and the JDBC driver for postgres. Aperently the > > > developers have told me that the JDBC requires the -i option on > > > postmaster. The only problem is this leves a visibility to the > > > outside world that we are using postmaster, or some other service. > > > Now we do have the pg_hba.conf configured to allow connections > > > from only that box it self, but you can never be two parinoid. > > > > > > The patch that is attached adds a "-L" option to postmaster, which > > > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > > > port is not exposed to the outside world, ie port scanners can't > > > detect it, and we can run our Java code with a little more comfort. > > > > > > The patch is against the postgresql-7.0.2 source tree. > > > > > > The patch was minimally test under Linux kernel 2.2.5 using > > > a RedHat 6.0 distribution. > > > > > > The files effected are > > > postgresql-7.0.2/src/backend/libpq/pqcomm.c > > > postgresql-7.0.2/src/include/libpq/libpq.h > > > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > > > > > The patch just addes the -L option with a bool flag variable > > > BindLocalOnly to postmaster.c > > > > > > Also the StreamServerPort function was modified to tha an extra > > > bool arguement which then if true causes the socket to be bound > > > to INADDR_LOOPBACK instead of INADDR_ANY. > > > > > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > > > source tree. > > > > > > If there are any issues pleas let me know. > > > > > > Thanks, > > > > > > John C. Quillan > > > john_quillan@datasoft.com > > > > [ application/x-gzip is not supported, skipping... ] > > > > -- > > Bruce Momjian | http://candle.pha.pa.us > > pgman@candle.pha.pa.us | (610) 853-3000 > > + If your life is a hard drive, | 830 Blythe Avenue > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
I'm kinda in agreement with John on this, it does add a level of security from DOS attacks ... I would have prefer'd the patch being something that attaches it to a specific IP though, vs just 127.0.0.1 ... I think that would be slightly more useful ... John, any chance of resubmitting it with that feature added to it? On Tue, 12 Sep 2000, Bruce Momjian wrote: > Well, we do reject quite early. For example, we do not start a backend > to check if the connection should be received, so it seems like we a > really are not open to any more DOS attack than telnetd or other > servers. Is that a fair statement? I would need to hear someone else > who feels strongly about this before adding additional options to the > postmaster. > > > > > > Bruce, > > > > I might agree accept for the following. By the time the pg_hba.conf > > file is checked the connection is already accepted, then rejected > > by the rule. A outsider could easlily over-load the postmaster by > > making repeated connections. > > > > Also with a port scan a outside cracker can get a small peice of > > information about what is running on your system. The less information > > a cracker has the beter. > > > > With this patch both of these situitations would not be possible. > > > > Would you be more open to a more general, but more complex, patch that > > would allow you to select the IP's that you bind to. This would allow > > one to configure a system where the localhost, and an internal interface > > are bound, but the external interface to the internet is not. > > > > Thanks, > > > > John C. Quillan > > > > > > I am inclinded to skip this patch. We already have too many postmaster > > > options, and I don't think adding something that already is done in > > > pg_hba.conf is a big help. Sorry. > > > > > > > All, > > > > > > > > The company I work, DataSoft, for is doing a web based project > > > > that uses Java and the JDBC driver for postgres. Aperently the > > > > developers have told me that the JDBC requires the -i option on > > > > postmaster. The only problem is this leves a visibility to the > > > > outside world that we are using postmaster, or some other service. > > > > Now we do have the pg_hba.conf configured to allow connections > > > > from only that box it self, but you can never be two parinoid. > > > > > > > > The patch that is attached adds a "-L" option to postmaster, which > > > > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > > > > port is not exposed to the outside world, ie port scanners can't > > > > detect it, and we can run our Java code with a little more comfort. > > > > > > > > The patch is against the postgresql-7.0.2 source tree. > > > > > > > > The patch was minimally test under Linux kernel 2.2.5 using > > > > a RedHat 6.0 distribution. > > > > > > > > The files effected are > > > > postgresql-7.0.2/src/backend/libpq/pqcomm.c > > > > postgresql-7.0.2/src/include/libpq/libpq.h > > > > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > > > > > > > The patch just addes the -L option with a bool flag variable > > > > BindLocalOnly to postmaster.c > > > > > > > > Also the StreamServerPort function was modified to tha an extra > > > > bool arguement which then if true causes the socket to be bound > > > > to INADDR_LOOPBACK instead of INADDR_ANY. > > > > > > > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > > > > source tree. > > > > > > > > If there are any issues pleas let me know. > > > > > > > > Thanks, > > > > > > > > John C. Quillan > > > > john_quillan@datasoft.com > > > > > > [ application/x-gzip is not supported, skipping... ] > > > > > > -- > > > Bruce Momjian | http://candle.pha.pa.us > > > pgman@candle.pha.pa.us | (610) 853-3000 > > > + If your life is a hard drive, | 830 Blythe Avenue > > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > > > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
The big question is why we can't just scan pg_hba.conf and bind only to those ip's. That way, we don't have to have a new flag. It will all happen by default. > > I'm kinda in agreement with John on this, it does add a level of security > from DOS attacks ... I would have prefer'd the patch being something that > attaches it to a specific IP though, vs just 127.0.0.1 ... I think that > would be slightly more useful ... John, any chance of resubmitting it with > that feature added to it? > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > Well, we do reject quite early. For example, we do not start a backend > > to check if the connection should be received, so it seems like we a > > really are not open to any more DOS attack than telnetd or other > > servers. Is that a fair statement? I would need to hear someone else > > who feels strongly about this before adding additional options to the > > postmaster. > > > > > > > > > > > Bruce, > > > > > > I might agree accept for the following. By the time the pg_hba.conf > > > file is checked the connection is already accepted, then rejected > > > by the rule. A outsider could easlily over-load the postmaster by > > > making repeated connections. > > > > > > Also with a port scan a outside cracker can get a small peice of > > > information about what is running on your system. The less information > > > a cracker has the beter. > > > > > > With this patch both of these situitations would not be possible. > > > > > > Would you be more open to a more general, but more complex, patch that > > > would allow you to select the IP's that you bind to. This would allow > > > one to configure a system where the localhost, and an internal interface > > > are bound, but the external interface to the internet is not. > > > > > > Thanks, > > > > > > John C. Quillan > > > > > > > > I am inclinded to skip this patch. We already have too many postmaster > > > > options, and I don't think adding something that already is done in > > > > pg_hba.conf is a big help. Sorry. > > > > > > > > > All, > > > > > > > > > > The company I work, DataSoft, for is doing a web based project > > > > > that uses Java and the JDBC driver for postgres. Aperently the > > > > > developers have told me that the JDBC requires the -i option on > > > > > postmaster. The only problem is this leves a visibility to the > > > > > outside world that we are using postmaster, or some other service. > > > > > Now we do have the pg_hba.conf configured to allow connections > > > > > from only that box it self, but you can never be two parinoid. > > > > > > > > > > The patch that is attached adds a "-L" option to postmaster, which > > > > > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > > > > > port is not exposed to the outside world, ie port scanners can't > > > > > detect it, and we can run our Java code with a little more comfort. > > > > > > > > > > The patch is against the postgresql-7.0.2 source tree. > > > > > > > > > > The patch was minimally test under Linux kernel 2.2.5 using > > > > > a RedHat 6.0 distribution. > > > > > > > > > > The files effected are > > > > > postgresql-7.0.2/src/backend/libpq/pqcomm.c > > > > > postgresql-7.0.2/src/include/libpq/libpq.h > > > > > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > > > > > > > > > The patch just addes the -L option with a bool flag variable > > > > > BindLocalOnly to postmaster.c > > > > > > > > > > Also the StreamServerPort function was modified to tha an extra > > > > > bool arguement which then if true causes the socket to be bound > > > > > to INADDR_LOOPBACK instead of INADDR_ANY. > > > > > > > > > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > > > > > source tree. > > > > > > > > > > If there are any issues pleas let me know. > > > > > > > > > > Thanks, > > > > > > > > > > John C. Quillan > > > > > john_quillan@datasoft.com > > > > > > > > [ application/x-gzip is not supported, skipping... ] > > > > > > > > -- > > > > Bruce Momjian | http://candle.pha.pa.us > > > > pgman@candle.pha.pa.us | (610) 853-3000 > > > > + If your life is a hard drive, | 830 Blythe Avenue > > > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > > > > > > > > -- > > Bruce Momjian | http://candle.pha.pa.us > > pgman@candle.pha.pa.us | (610) 853-3000 > > + If your life is a hard drive, | 830 Blythe Avenue > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy > Systems Administrator @ hub.org > primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Tue, 12 Sep 2000, Bruce Momjian wrote: > The big question is why we can't just scan pg_hba.conf and bind only > to those ip's. That way, we don't have to have a new flag. It will > all happen by default. huh? pg_hba.conf references IPs on remote hosts ... won't you find i tkinda difficult to bind to them? :) > > > > > I'm kinda in agreement with John on this, it does add a level of security > > from DOS attacks ... I would have prefer'd the patch being something that > > attaches it to a specific IP though, vs just 127.0.0.1 ... I think that > > would be slightly more useful ... John, any chance of resubmitting it with > > that feature added to it? > > > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > > > Well, we do reject quite early. For example, we do not start a backend > > > to check if the connection should be received, so it seems like we a > > > really are not open to any more DOS attack than telnetd or other > > > servers. Is that a fair statement? I would need to hear someone else > > > who feels strongly about this before adding additional options to the > > > postmaster. > > > > > > > > > > > > > > > > Bruce, > > > > > > > > I might agree accept for the following. By the time the pg_hba.conf > > > > file is checked the connection is already accepted, then rejected > > > > by the rule. A outsider could easlily over-load the postmaster by > > > > making repeated connections. > > > > > > > > Also with a port scan a outside cracker can get a small peice of > > > > information about what is running on your system. The less information > > > > a cracker has the beter. > > > > > > > > With this patch both of these situitations would not be possible. > > > > > > > > Would you be more open to a more general, but more complex, patch that > > > > would allow you to select the IP's that you bind to. This would allow > > > > one to configure a system where the localhost, and an internal interface > > > > are bound, but the external interface to the internet is not. > > > > > > > > Thanks, > > > > > > > > John C. Quillan > > > > > > > > > > I am inclinded to skip this patch. We already have too many postmaster > > > > > options, and I don't think adding something that already is done in > > > > > pg_hba.conf is a big help. Sorry. > > > > > > > > > > > All, > > > > > > > > > > > > The company I work, DataSoft, for is doing a web based project > > > > > > that uses Java and the JDBC driver for postgres. Aperently the > > > > > > developers have told me that the JDBC requires the -i option on > > > > > > postmaster. The only problem is this leves a visibility to the > > > > > > outside world that we are using postmaster, or some other service. > > > > > > Now we do have the pg_hba.conf configured to allow connections > > > > > > from only that box it self, but you can never be two parinoid. > > > > > > > > > > > > The patch that is attached adds a "-L" option to postmaster, which > > > > > > tells postmaster to bind only to 127.0.0.1 or localhost. Now this > > > > > > port is not exposed to the outside world, ie port scanners can't > > > > > > detect it, and we can run our Java code with a little more comfort. > > > > > > > > > > > > The patch is against the postgresql-7.0.2 source tree. > > > > > > > > > > > > The patch was minimally test under Linux kernel 2.2.5 using > > > > > > a RedHat 6.0 distribution. > > > > > > > > > > > > The files effected are > > > > > > postgresql-7.0.2/src/backend/libpq/pqcomm.c > > > > > > postgresql-7.0.2/src/include/libpq/libpq.h > > > > > > postgresql-7.0.2/src/backend/postmaster/postmaster.c > > > > > > > > > > > > The patch just addes the -L option with a bool flag variable > > > > > > BindLocalOnly to postmaster.c > > > > > > > > > > > > Also the StreamServerPort function was modified to tha an extra > > > > > > bool arguement which then if true causes the socket to be bound > > > > > > to INADDR_LOOPBACK instead of INADDR_ANY. > > > > > > > > > > > > The patch is just a tar.gz file that extracts over the postgresql-7.0.2 > > > > > > source tree. > > > > > > > > > > > > If there are any issues pleas let me know. > > > > > > > > > > > > Thanks, > > > > > > > > > > > > John C. Quillan > > > > > > john_quillan@datasoft.com > > > > > > > > > > [ application/x-gzip is not supported, skipping... ] > > > > > > > > > > -- > > > > > Bruce Momjian | http://candle.pha.pa.us > > > > > pgman@candle.pha.pa.us | (610) 853-3000 > > > > > + If your life is a hard drive, | 830 Blythe Avenue > > > > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > > > > > > > > > > > > -- > > > Bruce Momjian | http://candle.pha.pa.us > > > pgman@candle.pha.pa.us | (610) 853-3000 > > > + If your life is a hard drive, | 830 Blythe Avenue > > > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > > > > > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy > > Systems Administrator @ hub.org > > primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org > > > > > > > -- > Bruce Momjian | http://candle.pha.pa.us > pgman@candle.pha.pa.us | (610) 853-3000 > + If your life is a hard drive, | 830 Blythe Avenue > + Christ can be your backup. | Drexel Hill, Pennsylvania 19026 > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org
> On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > The big question is why we can't just scan pg_hba.conf and bind only > > to those ip's. That way, we don't have to have a new flag. It will > > all happen by default. > > huh? pg_hba.conf references IPs on remote hosts ... won't you find i > tkinda difficult to bind to them? :) Well, we list the IP numbers we will accept connections from in pg_hba.conf. If only on IP address appears on the file, why not just bind to that one only? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Tue, 12 Sep 2000, Bruce Momjian wrote: > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > > > The big question is why we can't just scan pg_hba.conf and bind only > > > to those ip's. That way, we don't have to have a new flag. It will > > > all happen by default. > > > > huh? pg_hba.conf references IPs on remote hosts ... won't you find i > > tkinda difficult to bind to them? :) > > Well, we list the IP numbers we will accept connections from in > pg_hba.conf. If only on IP address appears on the file, why not just > bind to that one only? okay, unless my read of Steven's missed something, you cannot bind to *the remote host* ... you can only bind to an IP on the local machine ... pg_hba.conf lists *remote hosts*, not local ones ... Basically, binding means listening to a specific interface ... since the remote host IP is not a local IP, you can't listen on that interface ...
> On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > > > > > The big question is why we can't just scan pg_hba.conf and bind only > > > > to those ip's. That way, we don't have to have a new flag. It will > > > > all happen by default. > > > > > > huh? pg_hba.conf references IPs on remote hosts ... won't you find i > > > tkinda difficult to bind to them? :) > > > > Well, we list the IP numbers we will accept connections from in > > pg_hba.conf. If only on IP address appears on the file, why not just > > bind to that one only? > > okay, unless my read of Steven's missed something, you cannot bind to *the > remote host* ... you can only bind to an IP on the local machine > ... pg_hba.conf lists *remote hosts*, not local ones ... > > Basically, binding means listening to a specific interface ... since the > remote host IP is not a local IP, you can't listen on that interface ... OK, but how then does -L work? Seems it only accept 127.0.0.1 connections. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Tue, 12 Sep 2000, Bruce Momjian wrote: > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > > > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > > > > > > > The big question is why we can't just scan pg_hba.conf and bind only > > > > > to those ip's. That way, we don't have to have a new flag. It will > > > > > all happen by default. > > > > > > > > huh? pg_hba.conf references IPs on remote hosts ... won't you find i > > > > tkinda difficult to bind to them? :) > > > > > > Well, we list the IP numbers we will accept connections from in > > > pg_hba.conf. If only on IP address appears on the file, why not just > > > bind to that one only? > > > > okay, unless my read of Steven's missed something, you cannot bind to *the > > remote host* ... you can only bind to an IP on the local machine > > ... pg_hba.conf lists *remote hosts*, not local ones ... > > > > Basically, binding means listening to a specific interface ... since the > > remote host IP is not a local IP, you can't listen on that interface ... > > OK, but how then does -L work? Seems it only accept 127.0.0.1 connections. it binds the postmaster process to the 127.0.0.1 (localhost) interface that is on your computer ... so that if I try to connect 127.0.0.1 on that machine, I'll get the postmaster, any other IP on that machine will get me a 'connection refused, no such service' ... Right now, with pg_hba.conf, everything is wide up as far as what interface I can connect *to*, and after that connection, then it decides if it wants to keep me or not based on my IP ... actually, my first para isa bit wrong, since nobody but the *loocal* machine can connect to 127.0.0.1, since, were you try try, for instance: telnet 127.0.0.1 smtp on your machine, you would connect to *your* smtp daemon ... John's problem is that the software he's wanting to use on the local machine requires him to start it up with -i, even though he's *on* the local machine, so where he could normally use Unix-Domain Sockets, the app can't use it, and he wishes to eliminate the knowledge of PostgreSQL running on his machine to the outside world ...
> > > Basically, binding means listening to a specific interface ... since the > > > remote host IP is not a local IP, you can't listen on that interface ... > > > > OK, but how then does -L work? Seems it only accept 127.0.0.1 connections. > > it binds the postmaster process to the 127.0.0.1 (localhost) interface > that is on your computer ... so that if I try to connect 127.0.0.1 on that > machine, I'll get the postmaster, any other IP on that machine will get me > a 'connection refused, no such service' ... > > Right now, with pg_hba.conf, everything is wide up as far as what > interface I can connect *to*, and after that connection, then it decides > if it wants to keep me or not based on my IP ... > > actually, my first para isa bit wrong, since nobody but the *loocal* > machine can connect to 127.0.0.1, since, were you try try, for instance: > > telnet 127.0.0.1 smtp > > on your machine, you would connect to *your* smtp daemon ... > > John's problem is that the software he's wanting to use on the local > machine requires him to start it up with -i, even though he's *on* the > local machine, so where he could normally use Unix-Domain Sockets, the app > can't use it, and he wishes to eliminate the knowledge of PostgreSQL > running on his machine to the outside world ... But can't we look at pg_hba.conf and find it only 127.0.0.1 is defined to accept connections, and if so, use the -L code automatically. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
On Tue, 12 Sep 2000, Bruce Momjian wrote: > But can't we look at pg_hba.conf and find it only 127.0.0.1 is defined > to accept connections, and if so, use the -L code automatically. we could, but, as I asked John for, I'd rather a more generic solution that allows me to bind the daemon to IP A, so that I can start up a second one on IP B on the same machine ... which becomes great for doing things like traffic monitoring, since I can monitor traffic going to database A seperately from database B ... I like John's thought, but think it stops too short, but should be relatively easy to extend ...
All, I thought I would through in my 2c into this discussion, First: Bruce, I believe you said earlier that we don't even fire up a back end before we reject them. From what I could see from a strace, the pg_hba.conf file is never open from the postmaster, so I am not sure how this can be. I will look more into this later to thuroughly verify this statement. > > On Tue, 12 Sep 2000, Bruce Momjian wrote: > > > But can't we look at pg_hba.conf and find it only 127.0.0.1 is defined > > to accept connections, and if so, use the -L code automatically. > We can The only thing is that currently the postmaster doensn't open the pg_hba.conf file. This was my origional thought as well, Adding a bind option, but then I didn't see the code to open the pg_hba.conf file and thougth it probably didn't belong there, but maybe it does. > we could, but, as I asked John for, I'd rather a more generic solution > that allows me to bind the daemon to IP A, so that I can start up a second > one on IP B on the same machine ... which becomes great for doing things > like traffic monitoring, since I can monitor traffic going to database A > seperately from database B ... > I have looked into what the more generic solution, but it is was somewhat more complicated, so out of lazieness I took the route that I serrved my immidiate needs. Besides I figured quite a few people are probobably using the JDBC driver which requires the -i option, and would need the same thing. > I like John's thought, but think it stops too short, but should be > relatively easy to extend ... I would be willing to take a hack at making a more generic version of this option. I have already given some thought in my head as to what it would take. It will probably take a week or 2 to get it done, with the time constraints I currently have. Thanks, John C. Quillan
> All, > > I thought I would through in my 2c into this discussion, > > First: Bruce, I believe you said earlier that we don't even fire > up a back end before we reject them. From what I could see from > a strace, the pg_hba.conf file is never open from the postmaster, > so I am not sure how this can be. > > I will look more into this later to thuroughly verify this statement. I can assure you that the postmaster reads the pg_hba.conf, and no database access is performed for validation. In fact, we go though great hurtles to enable this. The dump of pg_shadow to a flat file is just one of the things we have to do so the postmaster can do its job with no database access. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
John C. Quillan writes: > The patch just addes the -L option with a bool flag variable > BindLocalOnly to postmaster.c "postmaster option" is the wrong way to think. Look at src/backend/utils/misc/guc.c to add a generic configuration setting. -- Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/
Agreed. > John C. Quillan writes: > > > The patch just addes the -L option with a bool flag variable > > BindLocalOnly to postmaster.c > > "postmaster option" is the wrong way to think. Look at > src/backend/utils/misc/guc.c to add a generic configuration setting. > > -- > Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/ > > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026