On 6/2/2006 4:25 AM, Aaron Randall wrote:

> Hi All,
> 
> I have an issue with Slony replication.  I have written a few small 
> scripts that generate and start Slony how I wish, using the IP addresses 
> I give for the nodes.  This works fine, assuming that the servers are in 
> the same subnet, but how could I solve the issue of each host needing to 
> be able to access the other, when one of the nodes is behind NAT, so 
> cannot access its own address.
> 
> Is there a way of adding something similar to the hosts file for IP 
> addresses, and so I could add a route for the NATted address to point 
> back to localhost on the box with NATing?

Done that ... but not directly.

To have the outside slon talk to the inside DB, you would have to 
configure the NATing firewall to forward the postmaster port to the DB 
server, which basically would let the firewall's external IP address 
appear like the DB server (bad idea security wise).

What I do instead is to have the ssh port forwarded and sshd configured 
to accept pubkey authentication only (no login from the outside with 
password, you need to have the public keys installed in the servers 
authorized_keys2 file. With that in place, I start ssh with tunneling. 
That way, the remote postmaster behind the firewall will be available on 
another TCP/IP port on my local machine. A neat side effect is that ssh 
not only encrypts the whole traffic, but also can compress it.


Jan

-- 
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#================================================== JanWieck at Yahoo.com #