Re: PGSQL x iptables
| От | Merlin Moncure |
|---|---|
| Тема | Re: PGSQL x iptables |
| Дата | |
| Msg-id | b42b73150905060824k42830467l9c0c41b8fa3e7ffb@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: PGSQL x iptables (Craig Ringer <craig@postnewspapers.com.au>) |
| Список | pgsql-general |
On Wed, May 6, 2009 at 3:47 AM, Craig Ringer <craig@postnewspapers.com.au> wrote: > Slansky Lukas wrote: > >> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s >> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT >> >> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> >> I was wondering when these rules are not OK for our environment. It seems >> that rules 1 and 2 sometimes pass packets and therefore these packets are >> rejected. > > After a long period of inactivity, perhaps? > > If you're relying on `-m state' or `-m ctstate' you should be using a TCP > keepalive. Otherwise the connection tracking entry for the connection will > be purged after a while - how long depends on your firewall configuration - > and then packets will no longer be seen as part of an established > connection. small addendum: i bet this is the problem. You can configure server keepalives in postgresql.conf. I'd suggest two minutes (tcp_keepalives_idle=120) . merlin
В списке pgsql-general по дате отправления: