| From: | Greg Stark <gsstark(at)mit(dot)edu> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Firewall Security Requirements for Postgresql Access |
| Date: | 2004-09-07 23:25:23 |
| Message-ID: | 87656ppspo.fsf@stark.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Postgres does enable TCP "keepalive" to prevent idle connections from dying,
> but most kernels only send keepalive probes every hour or so. (The TCP RFCs
> actually specify how often to do this, IIRC.)
RFC 1122 4.2.3.6:
Keep-alive packets MUST only be sent when no data or
acknowledgement packets have been received for the
connection within an interval. This interval MUST be
configurable and MUST default to no less than two hours.
> If the firewall drops idle connections after less than the TCP keepalive
> interval, you got trouble.
Of course it really ought to wait at least some reasonable multiple of the
keepalive interval since either the data or the ack could get dropped. In fact
dropping connections after only a single keepalive being dropped is explicitly
prohibited:
It is extremely important to remember that ACK segments that
contain no data are not reliably transmitted by TCP.
Consequently, if a keep-alive mechanism is implemented it
MUST NOT interpret failure to respond to any specific probe
as a dead connection.
Of course NAT violates uncounted RFCs in the first place. But if you're going
to do NAT you usually really want the timeouts to be on the order of days, not
hours.
--
greg
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jerome Lyles | 2004-09-07 23:33:08 | Re: Postgresql and scripting |
| Previous Message | Tom Lane | 2004-09-07 22:53:06 | Re: Firewall Security Requirements for Postgresql Access |