Hi,
Splitting this out from #1272, the generated netmask/cidr for replication peer_ip is too open at /0:
{%- for peer_ip in peers_ips %}
- {{ 'hostssl' if enable_tls else 'host' }} replication replication {{ peer_ip }}/0 md5
{% endfor %}
A /0 allows all and I think should be /32 though could probably get away with using /24. Thankfully it is authenticated with md5 and in our Canonical IS deployed environments have additional layers of security with firewalling as well as OpenStack security groups.
Hi,
Splitting this out from #1272, the generated netmask/cidr for replication peer_ip is too open at
/0:A
/0allows all and I think should be/32though could probably get away with using/24. Thankfully it is authenticated withmd5and in our Canonical IS deployed environments have additional layers of security with firewalling as well as OpenStack security groups.