Re: Firewall Security Requirements for Postgresql Access

Gaetano Mendola <mendola@bigfoot.com> writes:
> Randy Yates wrote:
>> Is opening up port 5432 (R/W both directions) all that is required
>> of a firewall in order to access a postgres database outside the
>> firewall?

> Yes it is.

If it's a stateful firewall (eg something doing NAT translation) you
will also want to ask hard questions about how quickly it drops idle
connections.  If the answer is "less than an hour, and you can't change
it" then you may want to think about buying a different firewall.
Else, idle database connections are likely to disappear from under your
clients.

Postgres does enable TCP "keepalive" to prevent idle connections from
dying, but most kernels only send keepalive probes every hour or so.
(The TCP RFCs actually specify how often to do this, IIRC.)  If the
firewall drops idle connections after less than the TCP keepalive interval,
you got trouble.

You can of course work around this in any number of ways, but it's
better not to use a standards-challenged firewall in the first place.

            regards, tom lane