Re: [HACKERS] listening addresses

Tom Lane wrote: Andrew Dunstan [EMAIL PROTECTED] writes: I did wonder if we should treate localhost as a bit special and not rely on the resolver for it. I don't think so; we went in the other direction in 7.4 for pgstats. (It used to try to bind to 127.0.0.1 and now tries localhost.)

Re: [HACKERS] listening addresses

Andrew Dunstan [EMAIL PROTECTED] writes: A small problem with it was reported to me a couple of days ago - user had firewalled off all IP6 traffic. The stats collector happily bound and connected to the socket, but all the packets fell in the bit bucket. They found it quite hard to diagnose

Re: [HACKERS] listening addresses

Tom Lane wrote: also, is it safe to assume that a byte sent with send() is *immediately* ready to recv()? If not presumably you could either sleep for a very small interval before the recv or select on the socket for a very small interval. Half a second should be ample, I would think.

Re: [HACKERS] listening addresses

Andrew, Tom: This will be a really nice feature for those of us with PG servers that participate in VPNs.Currently I'm blocking certain interfaces using pg_hba.conf but would prefer a listen address instead. Of course, the drawback to this is that confused DBAs will have their pg_hba.conf

Re: [HACKERS] listening addresses

Josh Berkus wrote: Andrew, Tom: This will be a really nice feature for those of us with PG servers that participate in VPNs.Currently I'm blocking certain interfaces using pg_hba.conf but would prefer a listen address instead. Of course, the drawback to this is that confused DBAs

Re: [HACKERS] listening addresses

Josh Berkus [EMAIL PROTECTED] writes: Might I suggest that this default to 127.0.0.1 in postgresql.conf.sample? No, the default should be localhost. Your thinking is too IPv4-centric. regards, tom lane ---(end of

Re: [HACKERS] listening addresses

Tom, No, the default should be localhost. Your thinking is too IPv4-centric. Good point. My clients are all years away from implementing Ipv6, so I tend to forget about it. -- -Josh Berkus Aglio Database Solutions San Francisco ---(end of

Re: [HACKERS] listening addresses

I wrote: Josh Berkus wrote: If I had time, I would also love to see setting the password for the postgres user become part of the initdb script. However, I can see that this wouldn't work with packages. Orthogonal problem. BTW, initdb is no longer a script - some idiot rewrote it in C

Re: [HACKERS] listening addresses

Idiot is such a strong word, don't you think? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Dunstan Sent: Tuesday, March 16, 2004 7:26 AM To: Postgresql Hackers Subject: Re: [HACKERS] listening addresses I wrote: Josh Berkus wrote: If I had

Re: [HACKERS] listening addresses

Andrew Dunstan [EMAIL PROTECTED] writes: The intention is to make localhost the default. That should translate to 127.0.0.1 and ::1 (if they have ipv6 on). Of course, if they have a broken resolver things might get sticky, but that is true now anyway. Just to be clear: right now, if

Re: [HACKERS] listening addresses

Tom Lane wrote: Andrew Dunstan [EMAIL PROTECTED] writes: The intention is to make localhost the default. That should translate to 127.0.0.1 and ::1 (if they have ipv6 on). Of course, if they have a broken resolver things might get sticky, but that is true now anyway. Just to be clear:

Re: [HACKERS] listening addresses

Andrew Dunstan [EMAIL PROTECTED] writes: I did wonder if we should treate localhost as a bit special and not rely on the resolver for it. I don't think so; we went in the other direction in 7.4 for pgstats. (It used to try to bind to 127.0.0.1 and now tries localhost.) So far I've not seen any

Re: [HACKERS] listening addresses

Tom Lane wrote: Josh Berkus [EMAIL PROTECTED] writes: Might I suggest that this default to 127.0.0.1 in postgresql.conf.sample? No, the default should be localhost. Your thinking is too IPv4-centric. FYI, once we default to listening on localhost, we need to warn folks who are using

Re: [HACKERS] listening addresses

Bruce Momjian [EMAIL PROTECTED] writes: FYI, once we default to listening on localhost, we need to warn folks who are using socket permission to control access that they have to turn off localhost. That needs to be mentioned in the release notes, and in the SGML docs that talk about socket

Re: [HACKERS] listening addresses

Tom Lane wrote: Bruce Momjian [EMAIL PROTECTED] writes: FYI, once we default to listening on localhost, we need to warn folks who are using socket permission to control access that they have to turn off localhost. That needs to be mentioned in the release notes, and in the SGML docs that

[HACKERS] listening addresses

[removing to hackers as it is of general interest] Tom Lane wrote: Andrew Dunstan wrote: That seems to me to get as close as reasonably possible to the Unix behaviour. I don't think that always allowing localhost connections on Windows is a big security risk. Is it a big security

Re: [HACKERS] listening addresses

Andrew Dunstan [EMAIL PROTECTED] writes: This slipped off my radar. I have just spent a little while thinking about it. How about this: we replace tcpip_socket and virtual_host with a new var called listen_addresses, which can have values of local, all, or a list of addresses? The default