In looking over our authentication code, I noticed that we create the
child process before we check any of the pg_hba.conf file. Now, I
realize we can't do authentication in the postmaster because of possible
delay, and checking the user name and database name filters is just work
that is better done in the child, but checking the IP address might
prevent unauthorized clients from causing excessive process creation on
the server. I know we have listen_addresses, but that defaults to "*"
on the click-through installers, and not everybody knows how to set up a
firewall.
Anyway, I just wanted to mention it in case there was something to be
done here.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ It's impossible for everything to be true. +