Package: postgresql-11 Version: 11.5-1.pgdg100+1 When I manually launch a postgres server using the -h flag to specify the IP that the server listen on, it is not respected. Instead the requested port is bound on all IPs for the given machine.
$ ip address | grep "inet " inet 127.0.0.1/8 scope host lo inet 172.27.16.50/24 brd 172.27.16.255 scope global dynamic noprefixroute wlp0s20f3 $ nmap -p 1045 172.27.16.50 Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 14:13 CDT Nmap scan report for 172.27.16.50 Host is up (0.000053s latency). PORT STATE SERVICE 1045/tcp closed fpitp Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds $ # launch postgres (in another terminal) $ /usr/lib/postgresql/11/bin/postgres \ -h127.0.0.1 \ -p1045 \ -D/home/[redacted]/postgres \ -k/home/[redacted]/postgres \ -i; $ nmap -p 1045 172.27.16.50 Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-20 14:17 CDT Nmap scan report for 172.27.16.50 Host is up (0.000048s latency). PORT STATE SERVICE 1045/tcp open fpitp Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds The same incorrect behavior (listening on all IPs) occurs when setting `listen_addresses='127.0.0.1'` in postgresql.conf. Instead, I would except postgres to only listen on the requested IPs. This is a reasonably serious error as it could potentially expose a postgres server to a public network when it is expected to only find to a private network. I am using Debian GNU/Linux Buster 10.0 with kernel 4.19.0-5-amd64. Best, -Andy