if its linux, use iptables to block to port. ---------- Original Message ----------- From: Karl Wright <kwright@xxxxxxxxxxxxx> To: pgsql-general@xxxxxxxxxxxxxx Sent: Thu, 23 Feb 2006 15:49:09 -0500 Subject: [GENERAL] How do I prevent binding to TCP/IP port outside of localhost? > I have a situation where I need postgres to LISTEN and allow BINDs to > its TCP/IP port (5432) only to connections that originate from > localhost. I need it to not accept *socket* connections if requests > come in from off-box. If I try to set up pg_hba.conf such that it > rejects off-box requests, it seems to do this after it permits the > socket connection, and that won't do for our security geeks here. > > For example, here's the difference: > > kwright@merrimack:~$ curl http://duck37:5432 > curl: (52) Empty reply from server > kwright@merrimack:~$ curl http://duck37:5433 > curl: (7) couldn't connect to host > kwright@merrimack:~$ > > Note that the outside world seems to be able to connect to 5432 just > fine, although any *database* connections get (properly) rejected. > > I cannot turn off TCP/IP entirely because I have a Java application that > uses JDBC. > > Can somebody tell me whether this is an innate capability of postgres, > or whether I will need to modify the base code (and if so, WHERE I would > modify it?) > > Thanks, > Karl Wright > > ---------------------------(end of broadcast)--------------------------- > TIP 1: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@xxxxxxxxxxxxxx so that your > message can get through to the mailing list cleanly ------- End of Original Message -------
