Adrian Klaver wrote:
>> but if you don't allow access to ports 5432 and 5433
>> in the firewall the packets will never get to the point that the rules in
>> pg_hba.conf apply.
Willy-Bas Loos wrote:
> Adrian, i [sic] was talking about opening up the firewall for "the world" to
> my postgres ports, instead of granting access to individual ip
> addresses.
His answer took that into account.
There is a difference visible to the "outside" between rejection at the
firewall and rejection by Postgres's own security.
>> Also are you running two instances of Postgres listening on
>> different ports? Just trying to figure where the 5433 comes from.
Inquiring minds want to know the answer to this (these) question(s).
In general, and there can be use cases for different tactics, it is better to
firewall the DB port(s) and allow access only from inside the firewall,
usually with a mediating application to vet the access.
There certainly are dangers to letting the world in to your network. There
are a lot of ways to mitigate the risk. A firewall blockade in conjunction
with pg_hba.conf rules is one standard, relatively simple and fairly effective
tactic.
--
Lew