pg_hba.conf can be a pain in the neck. You're expecting some burst traffic, you deploy 8 new virtual appservers, fire them up, and ... they can't connect to Postgres. Gah!
That kind of experience makes it tempting to set everything to:
host all all 0.0.0.0/0 md5
But I just encountered another case this month why you shouldn't. While everyone thinks about malefactors as the main reason to have tight restrictions on which hosts can connect via pg_hba.conf, one should remember that accidents are far more common than malice. As was the case this time.
I set up a benchmark test for a client which involved replaying 8 hours of activity logs against a test copy of their database. What they didn't tell me (because they didn't know due to poor internal documentation) was that their database used DBlink to write data to another database several times a minute.
Thank goodness they had exercised good pg_hba.conf practices! All I got was a bunch of DBlink errors, instead of scribbling all over production data. Whew!