Magnus Hagander wrote:
> On 1 okt 2009, at 06.53, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> > Peter Eisentraut <peter_e@gmx.net> writes:
> >> On Wed, 2009-09-30 at 22:08 -0400, Tom Lane wrote:
> >>> (Note that you would still need a non-default setting of
> >>> listen_addresses for "-h machine_name" to actually work.)
> >
> >> Which makes this proposal kind of uninteresting.
> >
> > Although come to think of it ... is there any reason besides sheer
> > conservatism to not make the default listen_addresses value '*'?
> > It won't result in letting in any outside connections unless you
> > also add pg_hba.conf entries.
>
> Absolutely. One less opportunity to DOS the server - it's certainly
> cheaper to deal with connection floods by never even answering the
> socket. Also, showing up in portscans for example.
>
> Now, that trust authentication is a different issue ;)
I seems the purpose of listen_addresses was not clear to everyone, so I
have added the attached documentation sentence to specify its purpose.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.229
diff -c -c -r1.229 config.sgml
*** doc/src/sgml/config.sgml 22 Sep 2009 23:43:37 -0000 1.229
--- doc/src/sgml/config.sgml 3 Oct 2009 23:07:43 -0000
***************
*** 329,336 ****
at all, in which case only Unix-domain sockets can be used to connect
to it.
The default value is <systemitem class="systemname">localhost</>,
! which allows only local <quote>loopback</> connections to be made.
! This parameter can only be set at server start.
</para>
</listitem>
</varlistentry>
--- 329,342 ----
at all, in which case only Unix-domain sockets can be used to connect
to it.
The default value is <systemitem class="systemname">localhost</>,
! which allows only local <quote>loopback</> connections to be
! made. While client authentication (<xref
! linkend="client-authentication">) allows fine-grained control
! over who can access the server, <varname>listen_addresses</varname>
! controls which interfaces accept connection attempts, which
! can help prevent repeated malicious connection requests on
! insecure network interfaces. This parameter can only be set
! at server start.
</para>
</listitem>
</varlistentry>