[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PostgreSQL Question

To: members@xxxxxxxxxxxxxxxxxx
Subject: Re: PostgreSQL Question
From: John Holland <john@xxxxxxxxx>
Date: Thu, 05 Apr 2001 15:57:48 -0400
In-Reply-To: <986471119.3acc5acfa9366@barracuda>
References: <5.0.0.25.0.20010404160440.02b96060@mail.zoner.org><Pine.SUN.4.30.0104041438460.22651-100000@cobra.mlc.lib.mi.us><5.0.0.25.0.20010404160440.02b96060@mail.zoner.org>


>I don't know how PostgreSQL handles passing off connections to child processes
>(on diffrent ports).  That might effect how well this works.  Anyone know?  If
>not I'm willing to do a little tcpdump-ing ('cause it sound like a good 
>thing to
>know)

I wouldn't see how that could be an issue.  Netfilter can filter on 
interface, direction and port.

# iptables -A INPUT -i eth1 -dport 5432 -j DROP

should do it.

Are you concerned with connections to ports opened by the child 
processes?  Is it possible to externally see a port opened for a child 
process by an initial connection to localhost?

> >3. Drop a bridged firewall between the host and the internet.
> >The firewall is invisible to TCP/IP traffic, but can drop packets that flow
> >through it.  Nifty, eh?
>
>Fascinating.  I've seend the "bridge" option in "make menuconfig" but have 
>never
>used it.  Do both sides have to be the same network topology (ethernet) or is
>this a diffrent type of bridging then you find in a router?  (Sounds like a
>great presentation topic :)

I have no experience with Linux bridging.  The best open source 
implementation I've used is OpenBSD.  They have integrated bridging with 
ip-filter.  It is quite simple to set up.  FreeBSD has immature bridging 
code which will not work with ip-filter, my firewall tool of choice.

I acts just like a bridged hub.  By default it forwards all packets from 
interface to interface.  As it sees and forwards packets, it builds a table 
of MAC addresses and only forwards packets with those addresses out the 
appropriate interface.  The hosts on each side of the bridge have to be on 
the same network.

The power of a bridged firewall is that it is a drop in solution.  You can 
place it between any two nodes in your ethernet topology with no 
modification to the configuration of those nodes.  There was a paper 
written a few years ago by a team at Lucent giving their uses for the 
tool.  I could dig it up for you if you're interested.

I currently don't have a computer using this.  All of the firewalls I've 
setup require NAT.  NAT and bridging are orthogonal.

References:
- Re: PostgreSQL Question
  - From: John Holland
- Re: PostgreSQL Question
  - From: Mark Szidik
- Re: PostgreSQL Question
  - From: Adam Tauno Williams

Prev by Date: Software survey
Next by Date: Re: Software survey
Prev by thread: Re: PostgreSQL Question
Next by thread: Monthly Word From The Program Director
Index(es):
- Date
- Thread