Re: pg_hba.conf hostname todo
От | Joshua D. Drake |
---|---|
Тема | Re: pg_hba.conf hostname todo |
Дата | |
Msg-id | 1167257818.12075.65.camel@localhost.localdomain обсуждение исходный текст |
Ответ на | Re: pg_hba.conf hostname todo (Stephen Frost <sfrost@snowman.net>) |
Список | pgsql-hackers |
On Wed, 2006-12-27 at 17:02 -0500, Stephen Frost wrote: > * Joshua D. Drake (jd@commandprompt.com) wrote: > > On Wed, 2006-12-27 at 16:41 -0500, Stephen Frost wrote: > > > I'm inclined towards doing the reverse-DNS of the connecting IP and then > > > checking that the forward of that matches. > > > > Hmm what if it doesn't? Which is the case any many scenario. My thoughts > > are: > > If it doesn't then it's not allowed, of course. :) > > > If www.commandprompt.com is allowed, then the ip address 207.173.200.129 > > is allowed to connect. > > > > If we go the reverse way: > > > > 129.200.173.207.in-addr.arpa name = 129.commandprompt.com. > > > > Which really isn't that useful imo. > > While I agree that the way your reverse DNS has been done isn't very > useful, I don't feel that such a setup should be encouraged or > accomedated by an authorization system. Well from the lazy hat of sysadmin. The *only* reason I even have reverse dns is to deal with smtp servers that won't accept email unless the ip has a reverse ;) > There's a couple of reasons > to go with reverse DNS: > > #1: www.commandprompt.com could legitimately map to multiple IP > addresses Agreed, I was thinking about that. The only thing I could come up with is a list that would be checked (think where foo IN ()) > > #2: You may not be able to see all the addresses it maps to at a given > time without a bunch of work (potentially requiring multiple look-ups) Hmm... I would have to check that. > > #4: Even in the case mentioned, 129.commandprompt.com does resolve back > to the appropriate IP, so the re-check would succeed (but you'd have to > put 129.commandprompt.com into pg_hba, or change it to 'www129' and put > 'www*' in) My proposal does not accept that syntax. I think www* would be insane. > > syntaxes that are available :) > > Sure. Either way for this is alright with me, really. Just be sure to > document it clearly whichever way you decide to go. :) Like the stone tablets of God. Joshua D. Drake > > Thanks, > > Stephen -- === The PostgreSQL Company: Command Prompt, Inc. === Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240 Providing the most comprehensive PostgreSQL solutions since 1997 http://www.commandprompt.com/ Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
В списке pgsql-hackers по дате отправления: