| From: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
| Cc: | Slansky Lukas <Lukas(dot)Slansky(at)upce(dot)cz>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: PGSQL x iptables |
| Date: | 2009-05-06 15:24:45 |
| Message-ID: | b42b73150905060824k42830467l9c0c41b8fa3e7ffb@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, May 6, 2009 at 3:47 AM, Craig Ringer
<craig(at)postnewspapers(dot)com(dot)au> wrote:
> Slansky Lukas wrote:
>
>> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
>> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
>>
>> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>
>>
>> I was wondering when these rules are not OK for our environment. It seems
>> that rules 1 and 2 sometimes pass packets and therefore these packets are
>> rejected.
>
> After a long period of inactivity, perhaps?
>
> If you're relying on `-m state' or `-m ctstate' you should be using a TCP
> keepalive. Otherwise the connection tracking entry for the connection will
> be purged after a while - how long depends on your firewall configuration -
> and then packets will no longer be seen as part of an established
> connection.
small addendum: i bet this is the problem. You can configure server
keepalives in postgresql.conf. I'd suggest two minutes
(tcp_keepalives_idle=120) .
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Merlin Moncure | 2009-05-06 15:28:11 | Re: Transaction settings: nowait |
| Previous Message | Merlin Moncure | 2009-05-06 15:22:31 | Re: XML -> PG ? |