Обсуждение: Basic question on 'reject' auth-method in pg_hba.conf

Поиск
Список
Период
Сортировка

Basic question on 'reject' auth-method in pg_hba.conf

От
Sathesh S
Дата:

Hello All,


I'm new to postgresql, I have a basic question in using the 'reject' auth-method in pg_hba.conf.

I would like to reject a particular login from multiple range of IP addresses.


For example:


I want to reject login "test" from multiple IP ranges "100.101.13.0" & "200.101.13.0"


My questions:


1.  Do I need to make separate entires like below ones or can I separate the IP address range using comma?


"host   all  test  100.101.13.0  reject"

"host   all  test  200.101.13.0  reject"

2. If I make multiple entries to reject as above, how will it be treated, will the system read all the entries for the "test" login or will it stop after it finds the 1st entry for "test" login?

Can you please help with above questions.


Thanks,

Sathesh

Re: Basic question on 'reject' auth-method in pg_hba.conf

От
John Scalia
Дата:
Yes, you'll need to make 2 entries like you shown as no CIDR that I know of other than 0.0.0.0/0 would block both of those, and obviously you do NOT want to block everyone which 0.0.0.0/0 would do. The entries are scanned during a connection attempt, so if your test user is coming from a different IP address than these two, there needs to be another entry permitting that.
--
Jay

On Wed, Nov 30, 2016 at 11:36 AM, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:

Hello All,


I'm new to postgresql, I have a basic question in using the 'reject' auth-method in pg_hba.conf.

I would like to reject a particular login from multiple range of IP addresses.


For example:


I want to reject login "test" from multiple IP ranges "100.101.13.0" & "200.101.13.0"


My questions:


1.  Do I need to make separate entires like below ones or can I separate the IP address range using comma?


"host   all  test  100.101.13.0  reject"

"host   all  test  200.101.13.0  reject"

2. If I make multiple entries to reject as above, how will it be treated, will the system read all the entries for the "test" login or will it stop after it finds the 1st entry for "test" login?

Can you please help with above questions.


Thanks,

Sathesh


Re: Basic question on 'reject' auth-method in pg_hba.conf

От
Sathesh S
Дата:

Hi Jay,

 

Thanks for the response.

 

Just to confirm, do you mean I need to make entries to allow connections for “test” user apart from the reject ones?

I was under assumption that if I make the reject entries, all other connections coming apart from the  reject IP’s will be accepted by default.

 

So, if I need to make entries for both “reject” & to allow connections for “test” user, which one should be on the top (reject entry or allow entry)

 

Please suggest.

 

Thanks,

Sathesh

 

 

From: John Scalia
Sent: Wednesday, November 30, 2016 10:22 PM
To: Sathesh S
Cc: pgsql-admin@postgresql.org
Subject: Re: [ADMIN] Basic question on 'reject' auth-method in pg_hba.conf

 

Yes, you'll need to make 2 entries like you shown as no CIDR that I know of other than 0.0.0.0/0 would block both of those, and obviously you do NOT want to block everyone which 0.0.0.0/0 would do. The entries are scanned during a connection attempt, so if your test user is coming from a different IP address than these two, there needs to be another entry permitting that.
--
Jay

On Wed, Nov 30, 2016 at 11:36 AM, Sathesh S <Sathesh.Sundaram@hotmail.com> wrote:

Hello All,


I'm new to postgresql, I have a basic question in using the 'reject' auth-method in pg_hba.conf.

I would like to reject a particular login from multiple range of IP addresses.


For example:


I want to reject login "test" from multiple IP ranges "100.101.13.0" & "200.101.13.0"


My questions:


1.  Do I need to make separate entires like below ones or can I separate the IP address range using comma?


"host   all  test  100.101.13.0  reject"

"host   all  test  200.101.13.0  reject"

2. If I make multiple entries to reject as above, how will it be treated, will the system read all the entries for the "test" login or will it stop after it finds the 1st entry for "test" login?

Can you please help with above questions.


Thanks,

Sathesh