Обсуждение: Listen on IPv6 only
hi guys I am in the process of converting my network to IPv6 only (well, as much as possible). Since our own network has fully functional IPv6 connectivity, I should be able to move all services that are used internally only, to IPv6 only. Postgres is one of those services. I could not find anywhere in the docs how to configure this. However, the following seems to do the trick: listen_addresses = '::' This will make postgres listen on IPv6 only: root@cajones:~# telnet 127.0.0.1 5432 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused root@cajones:~# telnet ::1 5432 Trying ::1... Connected to ::1. Escape character is '^]'. Might be an idea to add this to the docs. -- Dyonisius Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 visser@terena.org | www.terena.org
El mié, 09-03-2011 a las 13:58 +0100, Dyonisius Visser escribió: > hi guys > > I am in the process of converting my network to IPv6 only (well, as > much as possible). > Since our own network has fully functional IPv6 connectivity, I should > be able to move all services that are used internally only, to IPv6 > only. > Postgres is one of those services. > > I could not find anywhere in the docs how to configure this. > However, the following seems to do the trick: > > listen_addresses = '::' > > This will make postgres listen on IPv6 only: > > root@cajones:~# telnet 127.0.0.1 5432 > Trying 127.0.0.1... > telnet: Unable to connect to remote host: Connection refused > > root@cajones:~# telnet ::1 5432 > Trying ::1... > Connected to ::1. > Escape character is '^]'. > > Might be an idea to add this to the docs. Maybe!!. -- Regards, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto Castillo Mart�nez wrote: > > > El mi?, 09-03-2011 a las 13:58 +0100, Dyonisius Visser escribi?: > > hi guys > > > > I am in the process of converting my network to IPv6 only (well, as > > much as possible). > > Since our own network has fully functional IPv6 connectivity, I should > > be able to move all services that are used internally only, to IPv6 > > only. > > Postgres is one of those services. > > > > I could not find anywhere in the docs how to configure this. > > However, the following seems to do the trick: > > > > listen_addresses = '::' > > > > This will make postgres listen on IPv6 only: > > > > root@cajones:~# telnet 127.0.0.1 5432 > > Trying 127.0.0.1... > > telnet: Unable to connect to remote host: Connection refused > > > > root@cajones:~# telnet ::1 5432 > > Trying ::1... > > Connected to ::1. > > Escape character is '^]'. > > > > Might be an idea to add this to the docs. > > Maybe!!. Interesting. How would someone listen only on IPv4 addresses? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
> > Maybe!!. > > Interesting. How would someone listen only on IPv4 addresses? In documentation there are few examples of its use, there are several networks that only use IPv6 -- Saludos, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx2.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto Castillo Mart�nez wrote: > > > > > Maybe!!. > > > > Interesting. How would someone listen only on IPv4 addresses? > > In documentation there are few examples of its use, there are several > networks that only use IPv6 My big question is whether '::' is supported on all platforms that support IPv6, and whether there is an IPv4-only syntax. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
> My big question is whether '::' is supported on all platforms that > support IPv6, and whether there is an IPv4-only syntax. Umm, you have to try, at least there is not much documented about it. -- Saludos, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto Castillo Mart�nez wrote: > > > > My big question is whether '::' is supported on all platforms that > > support IPv6, and whether there is an IPv4-only syntax. > > Umm, you have to try, at least there is not much documented about it. OK, let's skip documenting this then. They can already do this via pg_hba.conf. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
> OK, let's skip documenting this then. They can already do this via > pg_hba.conf. What would the postgresal.conf listen_addresses? -- Saludos, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx3.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
El jue, 10-03-2011 a las 21:11 +0100, Dyonisius Visser escribió: > On 10 March 2011 19:37, Bruce Momjian <bruce@momjian.us> wrote: > > > Interesting. How would someone listen only on IPv4 addresses? > > listen_addresses = '0.0.0.0' > > root@toad:/etc/postgresql/8.4/main# telnet ::1 5432 > Trying ::1... > telnet: Unable to connect to remote host: Connection refused > > root@toad:/etc/postgresql/8.4/main# telnet 127.0.0.1 5432 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > OK, -- Saludos, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx2.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
On 10 March 2011 19:37, Bruce Momjian <bruce@momjian.us> wrote: > Interesting. How would someone listen only on IPv4 addresses? listen_addresses = '0.0.0.0' root@toad:/etc/postgresql/8.4/main# telnet ::1 5432 Trying ::1... telnet: Unable to connect to remote host: Connection refused root@toad:/etc/postgresql/8.4/main# telnet 127.0.0.1 5432 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. -- Dyonisius Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 visser@terena.org | www.terena.org
Dyonisius Visser wrote: > On 10 March 2011 21:03, Bruce Momjian <bruce@momjian.us> wrote: > > > OK, let's skip documenting this then. ?They can already do this via > > pg_hba.conf. > > Restricting access via pg_hba.conf is something else than listening > (or not) on sockets... > > FYI, the listen_addresses is basically the same as sshd's ListenAddress. Yes, listen_addresses prevents anyone from even binding to the address. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On 10 March 2011 21:03, Bruce Momjian <bruce@momjian.us> wrote: > OK, let's skip documenting this then. They can already do this via > pg_hba.conf. Restricting access via pg_hba.conf is something else than listening (or not) on sockets... FYI, the listen_addresses is basically the same as sshd's ListenAddress. -- Dyonisius Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands T +31 20 530 44 88 F +31 20 530 44 99 visser@terena.org | www.terena.org
El jue, 10-03-2011 a las 15:33 -0500, Bruce Momjian escribió: > Dyonisius Visser wrote: > > On 10 March 2011 21:03, Bruce Momjian <bruce@momjian.us> wrote: > > > > > OK, let's skip documenting this then. ?They can already do this via > > > pg_hba.conf. > > > > Restricting access via pg_hba.conf is something else than listening > > (or not) on sockets... > > > > FYI, the listen_addresses is basically the same as sshd's ListenAddress. > > Yes, listen_addresses prevents anyone from even binding to the address. I keep thinking you should put that information somewhere accessible comun. -- Saludos, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx2.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto Castillo Mart�nez wrote: > > > El jue, 10-03-2011 a las 15:33 -0500, Bruce Momjian escribi?: > > Dyonisius Visser wrote: > > > On 10 March 2011 21:03, Bruce Momjian <bruce@momjian.us> wrote: > > > > > > > OK, let's skip documenting this then. ?They can already do this via > > > > pg_hba.conf. > > > > > > Restricting access via pg_hba.conf is something else than listening > > > (or not) on sockets... > > > > > > FYI, the listen_addresses is basically the same as sshd's ListenAddress. > > > > Yes, listen_addresses prevents anyone from even binding to the address. > > I keep thinking you should put that information somewhere accessible > comun. I can add it to the documentation now that we have more reports. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
> > > > Restricting access via pg_hba.conf is something else than listening > > > > (or not) on sockets... > > > > > > > > FYI, the listen_addresses is basically the same as sshd's ListenAddress. > > > > > > Yes, listen_addresses prevents anyone from even binding to the address. > > > > I keep thinking you should put that information somewhere accessible > > comun. > > I can add it to the documentation now that we have more reports. Thank you!! -- Saludos, Gilberto Castillo Edificio Beijing. Miramar Trade Center. Etecsa. Miramar, La Habana.Cuba. --- This message was processed by Kaspersky Mail Gateway 5.6.28/RELEASE running at host imx2.etecsa.cu Visit our web-site: <http://www.kaspersky.com>, <http://www.viruslist.com>
Gilberto Castillo Mart�nez wrote: > > > El jue, 10-03-2011 a las 15:33 -0500, Bruce Momjian escribi?: > > Dyonisius Visser wrote: > > > On 10 March 2011 21:03, Bruce Momjian <bruce@momjian.us> wrote: > > > > > > > OK, let's skip documenting this then. ?They can already do this via > > > > pg_hba.conf. > > > > > > Restricting access via pg_hba.conf is something else than listening > > > (or not) on sockets... > > > > > > FYI, the listen_addresses is basically the same as sshd's ListenAddress. > > > > Yes, listen_addresses prevents anyone from even binding to the address. > > I keep thinking you should put that information somewhere accessible > comun. Attached doc patch applied. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. + diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 8e27f73..0c682c8 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -324,7 +324,9 @@ SET ENABLE_SEQSCAN TO OFF; to listen for connections from client applications. The value takes the form of a comma-separated list of host names and/or numeric IP addresses. The special entry <literal>*</> - corresponds to all available IP interfaces. + corresponds to all available IP interfaces. The entry + <literal>0.0.0.0</> allows listening for all IPv4 addresses and + <literal>::</> allows listening for all IPv6 addresses. If the list is empty, the server does not listen on any IP interface at all, in which case only Unix-domain sockets can be used to connect to it.