From: | John R Pierce <pierce(at)hogranch(dot)com> |
---|---|
To: | Slansky Lukas <Lukas(dot)Slansky(at)upce(dot)cz> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: PGSQL x iptables |
Date: | 2009-05-06 07:41:29 |
Message-ID: | 4A013F29.2080309@hogranch.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Slansky Lukas wrote:
>
> Hello,
>
> we’re using PG and Application Server (JBoss) on separate CentOS
> servers with Cisco PIX in between. On DB side is iptable with
> following relevant rules:
>
> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
>
> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
> I was wondering when these rules are not OK for our environment. It
> seems that rules 1 and 2 sometimes pass packets and therefore these
> packets are rejected. Such connection is then in some weird state,
> doesn’t communicate (obviously – packets are dropped) and psql (or
> JBoss) connection is blocking for a long time (at least few hours).
>
> Everything seems to be OK when I have changed rule 2 to “-A
> RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j
> ACCEPT“.
>
> I’m really confused – what other states are possible for iptables
> except ESTABLISHED, RELATED or NEW? In iptables manpage is only
> INVALID, but why is this state emerging?
>
this is a linix iptables question, not a postgres question.
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2009-05-06 07:47:06 | Re: PGSQL x iptables |
Previous Message | Slansky Lukas | 2009-05-06 07:26:40 | PGSQL x iptables |