Re: Use "samehost" by default in pg_hba.conf?

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: Use "samehost" by default in pg_hba.conf?
Дата
Msg-id 200910032311.n93NBWR08653@momjian.us
обсуждение исходный текст
Ответ на Re: Use "samehost" by default in pg_hba.conf?  (Magnus Hagander <magnus@hagander.net>)
Список pgsql-hackers
Дерево обсуждения 
Magnus Hagander wrote:
> On 1 okt 2009, at 06.53, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> > Peter Eisentraut <peter_e@gmx.net> writes:
> >> On Wed, 2009-09-30 at 22:08 -0400, Tom Lane wrote:
> >>> (Note that you would still need a non-default setting of
> >>> listen_addresses for "-h machine_name" to actually work.)
> >
> >> Which makes this proposal kind of uninteresting.
> >
> > Although come to think of it ... is there any reason besides sheer
> > conservatism to not make the default listen_addresses value '*'?
> > It won't result in letting in any outside connections unless you
> > also add pg_hba.conf entries.
>
> Absolutely. One less opportunity to DOS the server - it's certainly
> cheaper to deal with connection floods by never even answering the
> socket. Also, showing up in portscans for example.
>
> Now, that trust authentication is a different issue ;)

I seems the purpose of listen_addresses was not clear to everyone, so I
have added the attached documentation sentence to specify its purpose.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: doc/src/sgml/config.sgml
===================================================================
RCS file: /cvsroot/pgsql/doc/src/sgml/config.sgml,v
retrieving revision 1.229
diff -c -c -r1.229 config.sgml
*** doc/src/sgml/config.sgml    22 Sep 2009 23:43:37 -0000    1.229
--- doc/src/sgml/config.sgml    3 Oct 2009 23:07:43 -0000
***************
*** 329,336 ****
           at all, in which case only Unix-domain sockets can be used to connect
           to it.
           The default value is <systemitem class="systemname">localhost</>,
!          which allows only local <quote>loopback</> connections to be made.
!          This parameter can only be set at server start.
         </para>
        </listitem>
       </varlistentry>
--- 329,342 ----
           at all, in which case only Unix-domain sockets can be used to connect
           to it.
           The default value is <systemitem class="systemname">localhost</>,
!          which allows only local <quote>loopback</> connections to be
!          made.  While client authentication (<xref
!          linkend="client-authentication">) allows fine-grained control
!          over who can access the server, <varname>listen_addresses</varname>
!          controls which interfaces accept connection attempts, which
!          can help prevent repeated malicious connection requests on
!          insecure network interfaces.  This parameter can only be set
!          at server start.
         </para>
        </listitem>
       </varlistentry>

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: Getting the red out (of the buildfarm)
Следующее
От: Mark Kirkwood
Дата:
Сообщение: Re: Lock Wait Statistics (next commitfest)