| From: | "Slansky Lukas" <Lukas(dot)Slansky(at)upce(dot)cz> |
|---|---|
| To: | |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: PGSQL x iptables |
| Date: | 2009-05-06 08:07:15 |
| Message-ID: | 7F27BA389269BB47A79525510325A35F6F9245@se02.upce.cz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
> Slansky Lukas wrote:
>
> > 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
> >
> > 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> > aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
> >
> > 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
> >
> >
> >
> > I was wondering when these rules are not OK for our environment. It
> > seems that rules 1 and 2 sometimes pass packets and therefore these
> > packets are rejected.
>
> Craig Ringer wrote:
>
> After a long period of inactivity, perhaps?
Is 15 seconds long period? I don't think so.
> If you're relying on `-m state' or `-m ctstate' you should be using a
> TCP keepalive. Otherwise the connection tracking entry for the
I'll try to lower TCP keepa live times and make some tests.
> connection will be purged after a while - how long depends on your
> firewall configuration - and then packets will no longer be seen as
part
> of an established connection.
Deleting -m state --state NEW seems to be "solution" but I'm trying to
figure out origin of the problem.
To John: I know it's related to iptables but this state seems to be only
on PG connections :-)
L.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | durumdara | 2009-05-06 09:19:47 | Transaction settings: nowait |
| Previous Message | Craig Ringer | 2009-05-06 07:47:06 | Re: PGSQL x iptables |