93

I can connect just fine to a remote postgresql server that has connection restrictions to a few IPs in the pg_hba.conf, but is this enough if you have listen_addresses set to "*" in the postgresql.conf file?

That files indicates that that parameter can take a comma separated list of ip addresses, but if i do that, I lose the ability to connect remotely.

postgresql-8.4.9 rhel

Improve this question
10
  • 2
    i want to ensure connections are only made either locally or from two remote ips. I have this successfully configured in pg_hba.conf, but what should listen_addresses be set to Commented Mar 19, 2012 at 2:08
  • 13
    Unfortunately I can not answer because that question has been closed. The answer: listen_addresses = 'localhost, 192.168.1.10' Commented Oct 13, 2013 at 10:15
  • 15
    And how the heck is this question "off topic" Commented Feb 10, 2016 at 17:39
  • 2
    @chrismarx because it's not strictly about programming. You should have asked it on another StackExchange site (e.g. dba.stackexchange.com or superuser.com). Commented Sep 18, 2017 at 8:52
  • 2
    According to this: dbrnd.com/2018/04/…, you can do it like that: listen_addresses = '192.168.0.10, localhost, 192.168.1.8'. Commented Feb 4, 2020 at 9:35

2 Answers 2

Reset to default
124

listen_addresses controls which IPs the server will answer on, not which IPs the server will permit connections to authenticate from. It's entirely reasonable and normal to use listen_addresses '*' so the server will accept incoming connections on any ip assigned to an interface on the postgresql server host, while using pg_hba.conf to control access at a finer grained level for which IPs the server will accept logins from for specific databases and users.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

ok, thats what I wanted to know, makes the issue of getting the comma separated list in there moot. thanks!
Edited to make it more explicit that pg_hba.conf controls login. The server still accepts the TCP/IP connections on any listening interface and converses with the connecting client. It just quickly concludes that the client isn't from a permitted IP range and closes the connection. This means among other things that pre-auth exploits could work with pg_hba exclusion but not if Pg simply wasn't listening on the interface the exploit came in on. Firewall rules, not listen_addresses, are the answer to that.
@CraigRinger I believe this is an important enough topic to warrant its own specific Question, so I posted on the DBA Stack Exchange, Can listen_addresses system configuration setting in Postgres stop pre-authentication exploits?. Perhaps you would be willing to provide a Answer there.
/etc/postgresql/11/main/postgresql.conf is the place to add listen_addresses on Ubuntu
the path has been updated to /etc/postgresql/14/main/postgresql.conf
|
9

Setting listen_addresses to '*' is normal, as dbenhur points out. Also you can use tools such as iptables to deny access to the port apart from certain remote IPs. You can even do both: redundancy in security is not necessarily a bad thing (although, relying on IP address security isn't so good).

Improve this answer

1 Comment

yeah, there is already ip based firewalls in place, just trying to make sure everything is configured as best it can be-

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.