Re: correct config (and syntax) for remote access

On Mon, Mar 16, 2009 at 6:42 PM, Bob McConnell <rmcconne(at)lightlink(dot)com> wrote:
> P Kapat wrote:
>>
>> On Sun, Mar 15, 2009 at 9:08 AM, Bob McConnell <rmcconne(at)lightlink(dot)com>
>> wrote:
>>>
>>> P Kapat wrote:
>>>>
>>>> Host A (IP : 1.2.3.4) has the 8.1.11 postgress server running. I want
>>>> to set it up so that I can connect from Host B (IP 5.6.7.8).
>>>>
>>>> Relevant lines from /var/lib/pgsql/data/pg_hba.conf (on host A)
>>>> local   all         postgres                          ident sameuser
>>>> local   all         all                               ident sameuser
>>>> host    all         all         127.0.0.1/32          md5
>>>> host    all         foouser      5.6.7.8/32       md5
>>>>
>>>> Relevant lines form /var/lib/pgsql/data/postgresql.conf (on host A):
>>>> listen_addresses = 'localhost,5.6.7.8'
>>>>
>>>> Will this work? The firewall has 5432 port open for connection between A
>>>> and B.
>>>>
>>> Not quite. The listen_addresses should be 'localhost,1.2.3.4'. localhost
>>> is
>>> 127.0.0.1, which can be reached by any process on that machine. The other
>>> address is the TCP/IP address for the interface you want postgres to
>>> receive
>>> connections on. It has to be an address on the same computer as your
>>> server.
>>> i.e. one that shows up when you run 'ifconfig' on that box. It is
>>> probably
>>> easier to just use '*' unless you have multiple network interfaces.
>>>
>>> Don't forget to restart the server after you change those files.
>>
>> @Peter, Bob: Thanks. I had a wrong notion of "listen_addresses"!
>> Everything works fine now...
>>
>> One final question: Is there any "security" related difference
>> between, listen_addresses='localhost, 1.2.3.4' and
>> listen_addresses='*' that I should be aware of? There is only one
>> network card on the server machine, so does it matter?
>>
>
> AFAICT, when you run 'ifconfig' you get a list of all the interfaces that
> will be able to access the server when you use '*'. As long as you only have
> the one NIC and the loopback device, it shouldn't make any difference. But
> as soon as you add another NIC, configure a VM, or define a TUN or TAP
> device for a VPN, etc., you might want to limit the connection list just to
> minimize the load from that traffic. However, the actual security is set up
> in pg_hba.conf.

Thanks Bob, I guess I'll stick with 'localhost,1.2.3.4' setup for
now.... I already have a restricted config in pg_hba.conf... So,
hopefully things should be OK.

--
Regards
PK
--------------------------------------
http://counter.li.org #402424