I wrote:
> Peter Eisentraut <peter_e@gmx.net> writes:
>> Have we dug deep enough into the firewall configuration to evaluate
>> other options? Can we, for example, exclude a port range?
> Not that I've been able to detect. Any simple way to do that would
> presumably open up exactly the security hole Apple is trying to close,
> so I'd bet against there being one. (It is annoying that the firewall
> triggers on ports bound to 127.0.0.1, though --- it's not apparent why
> that's a security risk. Perhaps there's some way to adjust that choice?)
And a bit of experimentation later: it seems that on Yosemite (and
probably earlier OS X versions), "localhost" maps to all three of these
addresses:127.0.0.1::1fe80:1::1
Binding to 127.0.0.1 does not trigger the firewall popup. Binding
to ::1 doesn't, either. But binding to fe80:1::1 does. So the
easy fix, for a default installation, is to keep the postmaster
from binding to that last address.
I'm not sufficiently up on my IPv6 to be sure exactly what that third
address does. Perhaps it is a bug in the firewall logic that it
considers that address external? If it *is* externally accessible,
what the heck is the OS doing including it in "localhost"?
(Not sure if it's relevant, but I've got IPv6 set to "link-local only"
in network preferences.)
regards, tom lane