| From: | "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf hostname todo |
| Date: | 2006-12-27 22:16:58 |
| Message-ID: | 1167257818.12075.65.camel@localhost.localdomain |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, 2006-12-27 at 17:02 -0500, Stephen Frost wrote:
> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > On Wed, 2006-12-27 at 16:41 -0500, Stephen Frost wrote:
> > > I'm inclined towards doing the reverse-DNS of the connecting IP and then
> > > checking that the forward of that matches.
> >
> > Hmm what if it doesn't? Which is the case any many scenario. My thoughts
> > are:
>
> If it doesn't then it's not allowed, of course. :)
>
> > If www.commandprompt.com is allowed, then the ip address 207.173.200.129
> > is allowed to connect.
> >
> > If we go the reverse way:
> >
> > 129.200.173.207.in-addr.arpa name = 129.commandprompt.com.
> >
> > Which really isn't that useful imo.
>
> While I agree that the way your reverse DNS has been done isn't very
> useful, I don't feel that such a setup should be encouraged or
> accomedated by an authorization system.
Well from the lazy hat of sysadmin. The *only* reason I even have
reverse dns is to deal with smtp servers that won't accept email unless
the ip has a reverse ;)
> There's a couple of reasons
> to go with reverse DNS:
>
> #1: www.commandprompt.com could legitimately map to multiple IP
> addresses
Agreed, I was thinking about that. The only thing I could come up with
is a list that would be checked (think where foo IN ())
>
> #2: You may not be able to see all the addresses it maps to at a given
> time without a bunch of work (potentially requiring multiple look-ups)
Hmm... I would have to check that.
>
> #4: Even in the case mentioned, 129.commandprompt.com does resolve back
> to the appropriate IP, so the re-check would succeed (but you'd have to
> put 129.commandprompt.com into pg_hba, or change it to 'www129' and put
> 'www*' in)
My proposal does not accept that syntax. I think www* would be insane.
> > syntaxes that are available :)
>
> Sure. Either way for this is alright with me, really. Just be sure to
> document it clearly whichever way you decide to go. :)
Like the stone tablets of God.
Joshua D. Drake
>
> Thanks,
>
> Stephen
--
=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2006-12-27 22:19:03 | Re: pg_hba.conf hostname todo |
| Previous Message | Steve Atkins | 2006-12-27 22:08:55 | Re: pg_hba.conf hostname todo |