On Tue, 23 Sep 2008 11:44:24 +0200, security improvement proposal:
pg_hba.conf and CIDR mask <marc@intershop.de> wrote:
> Description: entries like "host all all 10.0.50.31/0
> ..."
> should not be allowed or trigger a warning
> A CIDR mask length of 0 will allow to connect from any location.
Hm, it will allow to match any location, what it does with that later
depends on your settings. Putting "reject" as the method will, well,
reject them.
Also, I use "host dbname username 0.0.0.0/0 md5" in quite a few places,
and I believe I know what I'm doing. ;-)
> Checking the mask against the IP address would prevent such errors:
> /0 : disallow ?
Sorry, I can't agree here. I need that!
Kind of offtopic:
> /24 : IP must ends with .0
> /16 : IP must ends with .0.0
> ...
Precisely, /24 is A.B.C.*, /16 is A.B.*.*, /8 is A.*.*.*. It's not just .0
or .0.0, it's "anything".
HTH too. ;-)
--
ru