| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | Randy Yates <yates(at)ieee(dot)org> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Firewall Security Requirements for Postgresql Access |
| Date: | 2004-09-14 16:42:21 |
| Message-ID: | 20040914164221.GA3441@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Sep 08, 2004 at 03:12:29 +0000,
Randy Yates <yates(at)ieee(dot)org> wrote:
> bench(at)silentmedia(dot)com (Ben) writes:
>
> > Well, R/W doesn't make much sense for TCP.... incoming/outgoing SYN
> > packets make more sense, and if the database is located outside the
> > firewall, you really only need to allow outgoing SYN packets on the port
> > (as well as packets related to that session, of course).
>
> Are you suggesting that the firewall be configured so that the only
> outgoing packets allowed through are ones with the SYN bit set in the
> CODE BITS field of the TCP header? I'm fairly ignorant on protocol
> matters, and I don't understand why one would single out these types
> of TCP segments. Could you please expound?
Blocking SYN packets can be used to prevent the set up of a TCP connection.
One way to block inbound connections to ports, but allow outbound connections
to them is to block incoming SYN packets. This has the advantage that no
state needs to be maintained about the connection. The normal situation is
that inbound SYN packets are blocked except for the few ports to which you
want to allow connections to.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Karl O. Pinc | 2004-09-14 17:15:49 | Referencing multiple values returned to a plpgsql function - Was: Re: Returning multiple values (but one row) in plpgsql |
| Previous Message | Daniel Daoust | 2004-09-14 16:29:26 | Re: Autonomous transaction |