Re: How do I prevent binding to TCP/IP port outside of

Karl Wright wrote:
> I have a situation where I need postgres to LISTEN and allow BINDs to
> its TCP/IP port (5432) only to connections that originate from
> localhost. I need it to not accept *socket* connections if requests
> come in from off-box. If I try to set up pg_hba.conf such that it
> rejects off-box requests, it seems to do this after it permits the
> socket connection, and that won't do for our security geeks here.

try listen_addresses = 'localhost' in your postgresql.conf

>
> For example, here's the difference:
>
> kwright(at)merrimack:~$ curl http://duck37:5432
> curl: (52) Empty reply from server
> kwright(at)merrimack:~$ curl http://duck37:5433
> curl: (7) couldn't connect to host
> kwright(at)merrimack:~$
>
> Note that the outside world seems to be able to connect to 5432 just
> fine, although any *database* connections get (properly) rejected.
>
> I cannot turn off TCP/IP entirely because I have a Java application that
> uses JDBC.
>
> Can somebody tell me whether this is an innate capability of postgres,
> or whether I will need to modify the base code (and if so, WHERE I would
> modify it?)
>
> Thanks,
> Karl Wright
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>

--

- Rich Doughty