Reject xpto connection from all adress and after acept xpto connection from this adress - result = work good (lock connection for xtpo come from other adress and acept from this adress)
be careful with order change. This proposed by Scott was correct; yours will reject all the connections made by user system to xpto. Documentation says:
> The first record with a matching connection type, client address, > requested database, and user name is used to perform authentication. There > is no "fall-through" or "backup": if one record is chosen and the > authentication fails, subsequent records are not considered.