Is opening up port 5432 (R/W both directions) all that is required
of a firewall in order to access a postgres database outside the
firewall?
--
% Randy Yates % "My Shangri-la has gone away, fading like
%% Fuquay-Varina, NC % the Beatles on 'Hey Jude'"
%%% 919-577-9882 %
%%%% <ya***@ieee.org > % 'Shangri-La', *A New World Record*, ELO http://home.earthlink.net/~yatescr 7 4098
Randy Yates wrote: Is opening up port 5432 (R/W both directions) all that is required of a firewall in order to access a postgres database outside the firewall?
Yes it is.
Regards
Gaetano Mendola
Randy Yates wrote: Is opening up port 5432 (R/W both directions) all that is required of a firewall in order to access a postgres database outside the firewall?
I forgot, don't open only the 5432 and sleep well. Don't forget the
antispoofing rules.
Regards
Gaetano Mendola
Well, R/W doesn't make much sense for TCP.... incoming/outgoing SYN
packets make more sense, and if the database is located outside the
firewall, you really only need to allow outgoing SYN packets on the port
(as well as packets related to that session, of course).
On Wed, 8 Sep 2004, Gaetano Mendola wrote: Randy Yates wrote:
Is opening up port 5432 (R/W both directions) all that is required of a firewall in order to access a postgres database outside the firewall?
Yes it is.
Regards Gaetano Mendola ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddres sHere" to ma*******@postg resql.org)
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postg resql.org so that your
message can get through to the mailing list cleanly
Gaetano Mendola <me*****@bigfoo t.com> writes: Randy Yates wrote: Is opening up port 5432 (R/W both directions) all that is required of a firewall in order to access a postgres database outside the firewall?
Yes it is.
If it's a stateful firewall (eg something doing NAT translation) you
will also want to ask hard questions about how quickly it drops idle
connections. If the answer is "less than an hour, and you can't change
it" then you may want to think about buying a different firewall.
Else, idle database connections are likely to disappear from under your
clients.
Postgres does enable TCP "keepalive" to prevent idle connections from
dying, but most kernels only send keepalive probes every hour or so.
(The TCP RFCs actually specify how often to do this, IIRC.) If the
firewall drops idle connections after less than the TCP keepalive interval,
you got trouble.
You can of course work around this in any number of ways, but it's
better not to use a standards-challenged firewall in the first place.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to ma*******@postg resql.org so that your
message can get through to the mailing list cleanly
Tom Lane <tg*@sss.pgh.pa .us> writes: Postgres does enable TCP "keepalive" to prevent idle connections from dying, but most kernels only send keepalive probes every hour or so. (The TCP RFCs actually specify how often to do this, IIRC.)
RFC 1122 4.2.3.6:
Keep-alive packets MUST only be sent when no data or
acknowledgement packets have been received for the
connection within an interval. This interval MUST be
configurable and MUST default to no less than two hours.
If the firewall drops idle connections after less than the TCP keepalive interval, you got trouble.
Of course it really ought to wait at least some reasonable multiple of the
keepalive interval since either the data or the ack could get dropped. In fact
dropping connections after only a single keepalive being dropped is explicitly
prohibited:
It is extremely important to remember that ACK segments that
contain no data are not reliably transmitted by TCP.
Consequently, if a keep-alive mechanism is implemented it
MUST NOT interpret failure to respond to any specific probe
as a dead connection.
Of course NAT violates uncounted RFCs in the first place. But if you're going
to do NAT you usually really want the timeouts to be on the order of days, not
hours.
--
greg
---------------------------(end of broadcast)---------------------------
TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faqs/FAQ.html be***@silentmed ia.com (Ben) writes: Well, R/W doesn't make much sense for TCP.... incoming/outgoing SYN packets make more sense, and if the database is located outside the firewall, you really only need to allow outgoing SYN packets on the port (as well as packets related to that session, of course).
Are you suggesting that the firewall be configured so that the only
outgoing packets allowed through are ones with the SYN bit set in the
CODE BITS field of the TCP header? I'm fairly ignorant on protocol
matters, and I don't understand why one would single out these types
of TCP segments. Could you please expound?
--
% Randy Yates % "Bird, on the wing,
%% Fuquay-Varina, NC % goes floating by
%%% 919-577-9882 % but there's a teardrop in his eye..."
%%%% <ya***@ieee.org > % 'One Summer Dream', *Face The Music*, ELO http://home.earthlink.net/~yatescr
On Wed, Sep 08, 2004 at 03:12:29 +0000,
Randy Yates <ya***@ieee.org > wrote: be***@silentmed ia.com (Ben) writes:
Well, R/W doesn't make much sense for TCP.... incoming/outgoing SYN packets make more sense, and if the database is located outside the firewall, you really only need to allow outgoing SYN packets on the port (as well as packets related to that session, of course).
Are you suggesting that the firewall be configured so that the only outgoing packets allowed through are ones with the SYN bit set in the CODE BITS field of the TCP header? I'm fairly ignorant on protocol matters, and I don't understand why one would single out these types of TCP segments. Could you please expound?
Blocking SYN packets can be used to prevent the set up of a TCP connection.
One way to block inbound connections to ports, but allow outbound connections
to them is to block incoming SYN packets. This has the advantage that no
state needs to be maintained about the connection. The normal situation is
that inbound SYN packets are blocked except for the few ports to which you
want to allow connections to.
---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: PrisNo6 |
last post by:
I have some old code locked in two Access 97 files where I lost the mdw file and the pid do to system crashes. Can someone refer me
to a commercial vendor who can crack these files? - Regards - Kurt
|
by: Gilbert Van Hauwe |
last post by:
Hello,
How can i make a connection to MS Access DB ( Security DB )?
I make a new workgroupinformationfile (mdw file ), a new MS Access DB that
can working with the workgroupfile.
Now, i want make a connection with VBA code + DAO 3.6 from a MS Excell VBA
project?
How can i do that?
|
by: premmehrotra |
last post by:
I have an access 2000 database which has several levels of security
defined, i.e., certain users can only see certain forms, run certain
reports.
I am splitting this database in front end and back end. I want to
move back end to Oracle. I don't now where security is stored
in Access.
Will access users see only he forms/reports hey have been authorized
|
by: Stav |
last post by:
Hi there.
I'm working on an application that currently uses DAO to connect to an
Access 97 database. The database is created by and used exclusively by
the product to store search results and statistics during the
product's operation. The number of searches stored in one database
vary a lot (one user might only do 100 whilst another might do 1
million).
Once the search results have been stored, the product provides a
|
by: walid |
last post by:
Hi all,
I was wondering if anybody knows why Image.save(pathstring) is allowed in
ASP.net without any security permissions . the user can create an image and
save it in the web page directory, but if we try to write a file to hard
disk in asp.net it needs permission. Isn't it less secure to allow images to
be saved?
Any feedback is appreciated
thnx
| |
by: Jason Tost |
last post by:
Good afternoon,
I was wondering if there is a way you can determine what the security
requirements are of a control. I have an application that throws a
security exception if there is a WebBrowser control on my main form.
The exception simply states "Request Failed". If I remove the
WebBrowser control from the form, it works fine. The application is a
full trust application, and I have set the URL property of the
WebBrowser to...
|
by: nebbiasun |
last post by:
I have a split database which calls a word document (mail merge from
query) which works perfectly in both access 2003 and 2007. I have
secured the frontend and backend (user level security) in 2003 also
without problems. I have tried to migrate the same files to an access
2007 without success. I receive error messages that I don't have
permission to access the frontend or OBDC login failures.
I've played with this quite a bit and can not...
|
by: Luke Bailey |
last post by:
I have an access database that I have secured using ueser-level security. I have my own logon in the Admins group. I have also removed Admin from the Admins group so that the standard end-user can't access the program. I have also removed Open/Run access to the Database from the Users group. This has provided correct security for the database.
Here's my one big problem:
All someone has to do is go up and join the default...
|
by: daz_oldham |
last post by:
Hi everyone
I'm trying to lock my SQL Server Desktop Edition down which is running
on a relatively fresh install of Windows 2003 Server Standard Edition
which is a dedicated server from Fasthosts.
I'd like to create a local security policy that denies access to all
remote addresses other than my fixed IP address at home and work.
However, all attempts to create a policy just result in nothing
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |