4

(I have a basic understanding of networking)

So I read in another post that explains that listen_addresses just involves an extra layer of security before the login: How to configure postgresql postgresql.conf listen_addresses for multiple ip addresses

But what I want to know is why listen_address doesn't have to be put in CIDR format for the ips you put in there.

in pg_hba.conf it's ##.##.##.##/## for CIDR format. So why does postgresql.conf's listen_addresses use just the ip and without the subnet mask? (and also, I put my public ip address for both but access isn't allowed if I put it in listen_address which means...?

Side question (maybe for subnet): amazon ec2 doesn't let me use my public ip address/24, it has to be /32 (saying the size is too small) but i put /24 in pg_hba.conf so clearly it's valid?

Community
  • 1
  • 1
dtc
  • 1,774
  • 2
  • 21
  • 44

1 Answers1

7

You cannot listen to a CIDR range in any OS I know of. Essentially, what happens is that listen_addresses is matched to one or more IP interfaces by the host OS, which binds PostgreSQL's listening socket(s) to those interfaces.

listen_addresses controls what network interfaces PostgreSQL can accept connections on, not what clients can connect to PostgreSQL.

In the case of EC2, listen_addresses cannot contain your public IP because it is not a local interface on the host. You must listen on the actual network interface, which for EC2 is usually a 10.x.x.x private IP. In practice there's no point setting listen_addresses to anything except * on EC2 unless you're using VPC and have added multiple interfaces to your host connected to different subnets.

Craig Ringer
  • 307,061
  • 76
  • 688
  • 778
  • ahhh, thank you. i was guessing that i would have to use private ip address but based on that link i posted, i was thinking it would make more sense that the connection would route to the postgresql.conf before the pg_hba.conf (since pg_hba.conf is literally logging them in, it makes sense to me that any security check would happen before that meaning private before public check wouldn't make sense) – dtc Feb 28 '13 at 01:16
  • also, any explanation on my side question? regarding subnets, i thought whether /24 or /32, it's restricted to a different subnet so i don't see why it has to be /32 – dtc Feb 28 '13 at 01:16
  • @dtc Because it just doesn't make sense to listen to a subnet. You can listen to the wildcard `*` meaning all addresses on the local host, or a specific address list. `/32` is exactly one host address, and is the only form that makes any sense when listening. It's like asking "why can't I set my Ethernet interface's IP address to 10.1.1.4/24" ... you can't, it doesn't make sense. You can set it to 10.1.1.4 and specify that it's on a network that uses /24 subnet, but the address you've specified is still 10.1.1.4 with no mask, ie /32 . – Craig Ringer Feb 28 '13 at 03:28
  • @dtc Your fundamental confusion is that `pg_hba.conf` is about the *remote* (client) address, and `listen_addresses` are about on the *local* address(es) Pg listens to. – Craig Ringer Feb 28 '13 at 03:34
  • alright, thanks. i think my main confusion might be about the difference between public and private ip/subnet masks but ill try to look that up myself – dtc Feb 28 '13 at 19:23