|
Hello, we’re using PG and Application Server (JBoss) on
separate CentOS servers with Cisco PIX in between. On DB side is iptable with
following relevant rules: 1. -A RH-Firewall-1-INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
-s aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT 3. -A RH-Firewall-1-INPUT -j REJECT
--reject-with icmp-host-prohibited I was wondering when these rules are not OK
for our environment. It seems that rules 1 and 2 sometimes pass packets and
therefore these packets are rejected. Such connection is then in some weird state,
doesn’t communicate (obviously – packets are dropped) and psql (or JBoss)
connection is blocking for a long time (at least few hours). Everything seems to be OK when I have
changed rule 2 to “-A RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd
--dport 5432 -j ACCEPT“. I’m really confused – what other states are
possible for iptables except ESTABLISHED, RELATED or NEW? In iptables manpage
is only INVALID, but why is this state emerging? Any idea? Lukas |
