PostgreSQL and IPV6
I'm using to computers :
- a laptop under Xubuntu 12.04 with PostgreSQL 9.1
- a desktop under Mac OS X Mountain Lion with PostgreSQL 9.2
After the switch to Mountain Lion, i had a small prob connecting to a
database on my laptop.
Usually when, from the laptop, i connect to the deskop which arn't under
the same LAN, I'm using the IPV6 address of the desktop terminating by
"2559" (by psql or ssh : same IPV6 address).
However when connecting from desktop to laptop, altough the IPV6 address of
my desktop is in my pg_hba.conf,psql rejected the connection because an
address terminating by "18cf" isn't in my pg_hba.conf.
Then i did verify my mac os x setup showing that this address is a valid
one for my desktop, in fact my desktop does have up to eight IPV6 addresses.
After that, i edited the pg_hba.conf on my laptop and everything goes as
expected.
The question is about this IPV6 address terminating by "18cf".
first under Mac OS X Lion, i didn't have this address.
Why, in one direction from laptop to desktop i use successfully :
psql -h IPV6-terminating-by-2559
and the other way, from desktop to laptop this is IPV6-terminating-by-18cf
being seen by the laptop's PostgreSQL ?
--
Yvon
On Sat, Nov 03, 2012 at 09:11:51AM +0100, Yvon Thoraval wrote:
I'm using to computers :
- a laptop under Xubuntu 12.04 with PostgreSQL 9.1
- a desktop under Mac OS X Mountain Lion with PostgreSQL 9.2After the switch to Mountain Lion, i had a small prob connecting to a
database on my laptop.
<snip>
However when connecting from desktop to laptop, altough the IPV6 address of
my desktop is in my pg_hba.conf,psql rejected the connection because an
address terminating by "18cf" isn't in my pg_hba.conf.Then i did verify my mac os x setup showing that this address is a valid
one for my desktop, in fact my desktop does have up to eight IPV6 addresses.
IIRC MacOS X uses the IPv6 privacy extensions which means that clients
will regularly get different source IPs. The machine does this by
adding a new address every now and then.
A side effect of this is that you can't firewall on specific IP. A few
things I can think of:
- Find a way to fix the IP address.
- Use the link-local address (beginning with fe80) as they won't
change. Only works on a single network ofcourse.
- Allow the whole subnet, rather than individual IPs.
Why, in one direction from laptop to desktop i use successfully :
psql -h IPV6-terminating-by-2559
and the other way, from desktop to laptop this is IPV6-terminating-by-18cf
being seen by the laptop's PostgreSQL ?
Linux does not use privacy extensions by default, so the IP address
doesn't change. Maybe that explains it?
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
He who writes carelessly confesses thereby at the very outset that he does
not attach much importance to his own thoughts.
-- Arthur Schopenhauer
Fine, thanks for your answer, I'll then use a subnet IP in my pg_hba.conf.
Because, as far as i understand well your answer, the address terminating
with 18cf might change after a computer restart...
Also on the linux side i had to do something to fix IPV6 address otherwise
it was changing at every WiFi connection/deconnection...
2012/11/3 Martijn van Oosterhout <kleptog@svana.org>
On Sat, Nov 03, 2012 at 09:11:51AM +0100, Yvon Thoraval wrote:
I'm using to computers :
- a laptop under Xubuntu 12.04 with PostgreSQL 9.1
- a desktop under Mac OS X Mountain Lion with PostgreSQL 9.2After the switch to Mountain Lion, i had a small prob connecting to a
database on my laptop.<snip>
However when connecting from desktop to laptop, altough the IPV6 address
of
my desktop is in my pg_hba.conf,psql rejected the connection because an
address terminating by "18cf" isn't in my pg_hba.conf.Then i did verify my mac os x setup showing that this address is a valid
one for my desktop, in fact my desktop does have up to eight IPV6addresses.
IIRC MacOS X uses the IPv6 privacy extensions which means that clients
will regularly get different source IPs. The machine does this by
adding a new address every now and then.A side effect of this is that you can't firewall on specific IP. A few
things I can think of:- Find a way to fix the IP address.
- Use the link-local address (beginning with fe80) as they won't
change. Only works on a single network ofcourse.- Allow the whole subnet, rather than individual IPs.
Why, in one direction from laptop to desktop i use successfully :
psql -h IPV6-terminating-by-2559
and the other way, from desktop to laptop this is
IPV6-terminating-by-18cf
being seen by the laptop's PostgreSQL ?
Linux does not use privacy extensions by default, so the IP address
doesn't change. Maybe that explains it?Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/He who writes carelessly confesses thereby at the very outset that he
does
not attach much importance to his own thoughts.
-- Arthur Schopenhauer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)iQIVAwUBUJTgV0vt++dL5i1EAQiJyg//XevrCIinp0TI6A5mkwzF9ct+QOIaArwI
2NI1q9TJy1ojWpVX1/YLEEyn4v4SWiULhg3XyNKxE/kYbUWL+ZyAwc9PTf/USTKi
/1+p3dzEinNc68Gu7vNbgc8X7jzg6dPlJdnx68rccac5cnVpgofSZNjGyfDjJDHa
j4+2hjc4eo0vz/MXMstqWZ/WWB77xmQNc10s/NGMSy8YxBY+6PcJ7Al9I/7ntgiE
n6j3N/UyTk1EeLrPfeXScShqjUObGS85WQ8paOtY2D6fax1IbvbucqYyAnoLcvP9
I47WV2h98rlwAQSD4BfWpDTc0MHvzsHIOM+QU2AyNZ4TKvp+9drKIUHRPAwAzL/n
B5Io5HSFppWJLKOsnybzUhIBob4Rm4lIjONw9mi+B0j6XtXLzIcm/snqkYIYnQwI
VEvkifueIf2p3wH82ccQKC8BUyh4GWKgJNUN/7ZvhQYDbUDWNDHg10vS9vd5imxG
urOpIFfWexLg56lhoRdOvxtc4pz09c0rrNzgLzfhC/RDmOp6lJVDGSwynxhntCYX
QI8rdjTT4/uERBuVFy4T6ZDW7Y4TzznIjVWWOdIfuJHOa+dR0iNBzgWDxKWUPr1i
BJCrY6dirWzJT+jSDR6dF8RdJ/OZ4GhC3lPjkIOQg15m8fSQy/W9FRb+PnRgabTr
LPuKb/12y78=
=tnB1
-----END PGP SIGNATURE-----
--
Yvon