HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMajor

Postgres connection access denied on IPv6 address

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
addresspostgresdeniedaccessconnectionipv6

Problem

Installed PostgreSQL 9.1 x64 on Windows, set up a listen address, but when connecting with pgAdmin I get the following error. Not sure why PostgreSQL is seeing my IPv6 address and not my regular IP address:

To get authentication working, based on the error message, I updated pg_hba.conf with this:

host all all fe80::c5d2:XXXX:XXXX:3bc0/12 trust

That worked, but it's ugly, and too specific. I tried the following based on PostgreSQL docs, but none worked, I get the same 'access denied' error:

local all all trust
host all all 0.0.0.0/12 trust


I got this one working, which covers the entire IPv6 address space, but how can I specify an IPv6 range for more restriction?

host  mydb  myuser  ::/0   trust


Questions

  • Why does pgAdmin pick up my IPv6 address and not my normal IP?



  • How do I specify a range in IPv6 without resorting to ::/0?

Solution

The IPv6 addresses starting with fe80: are link-local addresses. They cannot be routed across different subnets or the internet. They are for communication between machines connected to the same LAN only. The link-local range is defined as fe80::/10. If you trust everybody on your local LAN then you could do

host  all  all  fe80::/10  trust


If you don't trust everybody on your local LAN then you probably want to use username+password protection:

host  all  all  fe80::/10  md5


When specifying md5 you are still using username+password protection, but the password is not transmitted in a readable format anymore. Since you're not trusting people on your local LAN you probably shouldn't send a snoopable password over the wire either.

Code Snippets

host  all  all  fe80::/10  trust
host  all  all  fe80::/10  md5

Context

StackExchange Database Administrators Q#43608, answer score: 22

Revisions (0)

No revisions yet.