Adrian Klaver wrote:
but if you don't allow access to ports 5432 and 5433
in the firewall the packets will never get to the point that the rules in
pg_hba.conf apply.
Willy-Bas Loos wrote:
Adrian, i [sic] was talking about opening up the firewall for "the world" to
my postgres ports, instead of granting access to individual ip
addresses.
His answer took that into account.
There is a difference visible to the "outside" between rejection at the
firewall and rejection by Postgres's own security.
Also are you running two instances of Postgres listening on
different ports? Just trying to figure where the 5433 comes from.
Inquiring minds want to know the answer to this (these) question(s).
In general, and there can be use cases for different tactics, it is better to
firewall the DB port(s) and allow access only from inside the firewall,
usually with a mediating application to vet the access.
There certainly are dangers to letting the world in to your network. There
are a lot of ways to mitigate the risk. A firewall blockade in conjunction
with pg_hba.conf rules is one standard, relatively simple and fairly effective
tactic.
--
Lew
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
