Using Firewall in a Postgres Cluster

Introduction

Using Firewall in a Postgres Cluster

Introduction

When you deploy a PostgreSQL cluster, your job doesn’t end with high availability or replication setup. One of the most crucial steps is ensuring your nodes are secure from unauthorized access. That’s where a firewall more specifically, firewalld comes in. Firewalld is a dynamic firewall manager for Linux systems. It offers a powerful and flexible way to define which connections are allowed and which are denied. In this guide, we’ll walk through the fundamentals of firewalld, explain how it works, and show you how to configure it to protect your PostgreSQL cluster effectively.

What is Firewalld?

Firewalld is a firewall management tool for Linux that provides a user-friendly interface to control network traffic. It replaces traditional tools like iptables with a more modern and persistent configuration model.

Key features include:

Zones: Group network interfaces under specific security policies.
Services & Ports: Open or close services or specific ports.
Rich Rules: Define detailed access rules using IP addresses, protocols, and directions.
Runtime vs Permanent Configuration: Allows testing rules temporarily before making them permanent.

Core Concepts

1. Zones

Zones define trust levels for network interfaces. For instance, public is the most commonly used zone and has limited access rules by default.

2. Ports

Most services, including PostgreSQL, operate on specific ports (e.g., 5432). Opening a port means allowing incoming traffic on that service.

3. Rich Rules

Rich rules let you define complex policies — such as allowing traffic only from certain IPs or subnets, or matching multiple conditions like protocol and port.

Installing and Managing Firewalld

Install firewalld if not already available:

sudo dnf install firewalld     # RHEL/CentOS/Fedora
sudo apt install firewalld     # Debian/Ubuntu

Start and enable the service:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Check its status:

sudo firewall-cmd --state

Basic Usage Examples

1. Open a TCP Port

sudo firewall-cmd --zone=public --add-port=5000/tcp --permanent
sudo firewall-cmd --reload

2. Close a Previously Opened Port

sudo firewall-cmd --zone=public --remove-port=5000/tcp --permanent
sudo firewall-cmd --reload

3. Allow Access to a Port Only From a Specific IP

sudo firewall-cmd --zone=public --add-rich-rule=&amp;amp;#x27;rule family=&amp;amp;quot;ipv4&amp;amp;quot; source address=&amp;amp;quot;10.**.**.**&amp;amp;quot; port port=&amp;amp;quot;5000&amp;amp;quot; protocol=&amp;amp;quot;tcp&amp;amp;quot; accept&amp;amp;#x27; --permanent
sudo firewall-cmd --reload

4. Block All Incoming Traffic

sudo firewall-cmd --zone=public --set-target=DROP --permanent
sudo firewall-cmd --reload

Note: Outbound traffic remains allowed even when using DROP.

Firewalld in a PostgreSQL Cluster Setup

PostgreSQL runs on port 5432 by default. In a multi-node cluster, not all nodes should be exposed to the outside world. Only trusted application servers, monitoring tools, or other database nodes should be allowed to connect.

Recommended configuration:

Restrict public access:

sudo firewall-cmd --zone=public --remove-port=5432/tcp --permanent

Allow specific trusted IP addresses (e.g., application server, replica node):

sudo firewall-cmd --zone=public --add-rich-rule=&amp;amp;#x27;rule family=&amp;amp;quot;ipv4&amp;amp;quot; source address=&amp;amp;quot;10.**.**.**&amp;amp;quot; port port=&amp;amp;quot;****&amp;amp;quot; protocol=&amp;amp;quot;tcp&amp;amp;quot; accept&amp;amp;#x27; --permanent

Reload to apply rules:

sudo firewall-cmd --reload

Repeat for each node in the cluster with appropriate IP rules and do not forget leader election nodes port e.g 2379. This allows PostgreSQL replication traffic or app connections while blocking any unknown or malicious access.

Conclusion

Securing a PostgreSQL cluster is not just about database-level authentication and SSL. You also need to control who can even reach your database port in the first place. That’s where firewalld excels.

With a few clear commands, you can configure your firewall to:

Allow only trusted IPs,
Limit unnecessary open ports,
Prevent brute force or scanning attempts,
And make your PostgreSQL infrastructure much more resilient.

Firewalld is an essential part of any production-grade PostgreSQL deployment, especially in distributed environments. Take the time to configure it right and it’s a small effort for a big gain in security.