sql_firewall SQL Firewall Extension for PostgreSQL


sql_firewall is a PostgreSQL extension which is intended to protect

database from SQL injections or unexpected queries.


sql_firewall module learns queries which can be executed, and

prevents/warns on executing queries which are not found in the learned

firewall rule.


How to get this tool

To use this tool, please use a method listed below.

In a Linux (Debian OS), run the following command(s).




sql_firewall can be built as a PostgreSQL extension.


export PATH=$PGHOME/bin:$PATH

export USE_PGXS=1


sudo make install


Download directly from the following link:


How to execute

sql_firewall can take one of four modes specified in sql_firewall.firewall parameter: "learning", "enforcing", "permissive" and "disabled".


In the "learning" mode, sql_firewall collects pairs of "userid" and "queryid" associated with the executed queries. "queryid" is calculated based on a parse tree, similar to pg_stat_statements.


In the "enforcing" mode, sql_firewall checks whether queries are in the list of collected pairs of "userid" and "queryid", the firewall rules. When a query not in the firewall rules comes in, sql_firewall produces an error with the message to prevent execution.


In the "permissive" mode, sql_firewall checks queries as well, but allows to execute even not in the firewall rules. And produces warnings if the queries are not in the rules.





Next steps:


This article was contributed by Racquel Bailey from Jamaica. Racquel is a member of the Caribbean CSPA.

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.