Hello, as you maybe see there is rule 2 that accepts new connections. Unfortunately we have found that CISCO works really badly with SACK packets and these are then recognized as INVALID and dropped. We still don't know what is wrong and why SACKs are produced by I suspect PIX too. The workaround is and some explanation is mentioned in LKML: http://lkml.org/lkml/2007/7/29/174 Now after turning SACKs off seems connection stabile. But we'll try to figure out why are such packets produced. But it will probably take time... Thanks, Lukas -----Original Message----- From: Elvir Kuric [mailto:omasnjak@xxxxxxxxx] Sent: Wednesday, May 06, 2009 8:37 PM To: Slansky Lukas Cc: netfilter@xxxxxxxxxxxxxxx Subject: Re: PostgreSQL x iptables Hi Lukas, you should accept NEW connection for traffic you need. Rule "1" accept only connections which are initiated from " original host"---host which already sent NEW. You can to receive all trafic on particular port/from particular host and I think it will not be problem to make what you want Also, please take care that is necessary to reload rules ( do iptables -X -F -Z ) after you change something. Take a look into Cisco PIX, maybe there you have some limit For iptables reference see man iptables or Oscar Anderson Iptables manual Regards/Ahoj Elvir Kuric On Wed, May 6, 2009 at 11:13 AM, Slansky Lukas <Lukas.Slansky@xxxxxxx> wrote: > Hello, > we're using PG and Application Server (JBoss) on separate CentOS servers > with Cisco PIX in between. On DB side is iptable with following relevant > rules: > > 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s > aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT > 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > I was wondering when these rules are not OK for our environment. It > seems that rules 1 and 2 sometimes (probably for complicated queries) > pass packets and therefore these packets are rejected by rule 3. Such > connection is then in some weird state, doesn't communicate (obviously - > packets are dropped) and psql (or JBoss) connection is blocking for a > long time (at least few hours). > > Everything seems to be OK when I have changed rule 2 to "-A > RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j > ACCEPT". > > I'm really confused - what other states are possible for iptables except > ESTABLISHED, RELATED or NEW? In iptables manpage is only INVALID, but > why is this state emerging? > > Any idea? > > Lukas > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
