| From: | "Slansky Lukas" <Lukas(dot)Slansky(at)upce(dot)cz> |
|---|---|
| To: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | PGSQL x iptables |
| Date: | 2009-05-06 07:26:40 |
| Message-ID: | 7F27BA389269BB47A79525510325A35F6F923A@se02.upce.cz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello,
we're using PG and Application Server (JBoss) on separate CentOS servers
with Cisco PIX in between. On DB side is iptable with following relevant
rules:
1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
I was wondering when these rules are not OK for our environment. It
seems that rules 1 and 2 sometimes pass packets and therefore these
packets are rejected. Such connection is then in some weird state,
doesn't communicate (obviously - packets are dropped) and psql (or
JBoss) connection is blocking for a long time (at least few hours).
Everything seems to be OK when I have changed rule 2 to "-A
RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j
ACCEPT".
I'm really confused - what other states are possible for iptables except
ESTABLISHED, RELATED or NEW? In iptables manpage is only INVALID, but
why is this state emerging?
Any idea?
Lukas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John R Pierce | 2009-05-06 07:41:29 | Re: PGSQL x iptables |
| Previous Message | Greg Smith | 2009-05-06 06:59:01 | Re: bizgres |