RE: PostgreSQL x iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
as you maybe see there is rule 2 that accepts new connections. Unfortunately we have found that CISCO works really badly with SACK packets and these are then recognized as INVALID and dropped. We still don't know what is wrong and why SACKs are produced by I suspect PIX too. The workaround is and some explanation is mentioned in LKML: http://lkml.org/lkml/2007/7/29/174

Now after turning SACKs off seems connection stabile. But we'll try to figure out why are such packets produced. But it will probably take time...

Thanks,
Lukas

-----Original Message-----
From: Elvir Kuric [mailto:omasnjak@xxxxxxxxx] 
Sent: Wednesday, May 06, 2009 8:37 PM
To: Slansky Lukas
Cc: netfilter@xxxxxxxxxxxxxxx
Subject: Re: PostgreSQL x iptables

Hi Lukas,

you should accept NEW connection for traffic you need. Rule "1" accept
only connections which are initiated
from " original host"---host which already sent NEW.
You can to receive all trafic on particular port/from particular host
and I think it will not be problem to make what you want
Also, please take care that is necessary to reload rules ( do iptables
-X -F -Z ) after you change something.

Take a look into Cisco PIX, maybe there you have some limit

For iptables reference see man iptables or Oscar Anderson Iptables manual

Regards/Ahoj

Elvir Kuric

On Wed, May 6, 2009 at 11:13 AM, Slansky Lukas <Lukas.Slansky@xxxxxxx> wrote:
> Hello,
> we're using PG and Application Server (JBoss) on separate CentOS servers
> with Cisco PIX in between. On DB side is iptable with following relevant
> rules:
>
> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>
> I was wondering when these rules are not OK for our environment. It
> seems that rules 1 and 2 sometimes (probably for complicated queries)
> pass packets and therefore these packets are rejected by rule 3. Such
> connection is then in some weird state, doesn't communicate (obviously -
> packets are dropped) and psql (or JBoss) connection is blocking for a
> long time (at least few hours).
>
> Everything seems to be OK when I have changed rule 2 to  "-A
> RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j
> ACCEPT".
>
> I'm really confused - what other states are possible for iptables except
> ESTABLISHED, RELATED or NEW? In iptables manpage is only INVALID, but
> why is this state emerging?
>
> Any idea?
>
> Lukas
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux