Re: PostgreSQL Question

[John Holland <john@xxxxxxxxx>]

You make a good case for packet filtering on that interface.  Given your 
concern about that interface being portscanned, I assume that machine is 
not behind a firewall.  So, create some defense in depth:

Block external access to port 5432, as you did, using the postgresql configs.

Block external access to port 5432 with ip-chains or netfilter (depending 
on which kernel you're using).

Put a firewall between this host and the internet.  The three architectures 
there are:
         1. This host moves to a private IP address.  Only connections to 
the necessary ports are forwarded from the firewall to the host.
         2. The host moves to the DMZ, keeping its public IP.  Again, only 
connections to the necessary ports are forwarded.
         3. Drop a bridged firewall between the host and the internet.  The 
firewall is invisible to TCP/IP traffic, but can drop packets that flow 
through it.  Nifty, eh?

At 02:06 PM 4/4/2001 -0500, you wrote:
>  I did this... In my original message I posted the excerpt from MY
>pg_hba.conf file.  I have already defined it to only look at 127.0.0.1 &
>192.168.0.2 per the pg_hba.conf file instructions. However Nmap scans still
>see it on eth1 (63.110.172.162)
>
>I did add the following until I can figure out how to keep it from showing
>up in the first place:
>host     all     63.110.172.162     255.255.255.255     reject