| From: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
|---|---|
| To: | Slansky Lukas <Lukas(dot)Slansky(at)upce(dot)cz> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: PGSQL x iptables |
| Date: | 2009-05-06 07:47:06 |
| Message-ID: | 4A01407A.4080107@postnewspapers.com.au |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Slansky Lukas wrote:
> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
>
> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
>
>
> I was wondering when these rules are not OK for our environment. It
> seems that rules 1 and 2 sometimes pass packets and therefore these
> packets are rejected.
After a long period of inactivity, perhaps?
If you're relying on `-m state' or `-m ctstate' you should be using a
TCP keepalive. Otherwise the connection tracking entry for the
connection will be purged after a while - how long depends on your
firewall configuration - and then packets will no longer be seen as part
of an established connection.
--
Craig Ringer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Slansky Lukas | 2009-05-06 08:07:15 | Re: PGSQL x iptables |
| Previous Message | John R Pierce | 2009-05-06 07:41:29 | Re: PGSQL x iptables |