Re: Couple of PostgreSQL Questions

"Richard Zimmerman" <Richard@knbpower.com> writes:
>    My Linux system serves as the "Internet" server in my office and also
> hosts the PostgreSQL database. I want to "hide" PostgreSQL from my external
> network card (eth1).

> eth0 = 192.168.0.2 (Internal)
> eth1 = 63.110.172.162 (external)

In 7.1 it is possible to tell the postmaster to bind its socket to only
one IP address, rather than all the machine's IP addresses.  That should
solve your problem.  However, I don't really think you need to worry
all that much, given that you have pg_hba.conf set up not to accept
connections from anyplace except local addresses.

> local        all                                            trust
> host         all         63.110.172.162 255.255.255.255     reject
> host         all         127.0.0.1      255.255.255.255     crypt
> host         all         192.168.0.0    255.255.255.0       crypt

That "reject" line is pretty much a waste of time, because it only
rejects connections that originate from your own machine; the comparison
is against the client address not the server address.  The important
thing for security is that you're not accepting connections from just
any old IP address, but only the ones on your local LAN.  So, even
though an outside port-scanner might be able to see your port
responding, he's not going to get in.

But, having said that, a firewall rule to drop outside-to-5432 packets
entirely is also a good idea.

            regards, tom lane