Slansky Lukas wrote:
Hello,
we’re using PG and Application Server (JBoss) on separate CentOS
servers with Cisco PIX in between. On DB side is iptable with
following relevant rules:
1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
I was wondering when these rules are not OK for our environment. It
seems that rules 1 and 2 sometimes pass packets and therefore these
packets are rejected. Such connection is then in some weird state,
doesn’t communicate (obviously – packets are dropped) and psql (or
JBoss) connection is blocking for a long time (at least few hours).
Everything seems to be OK when I have changed rule 2 to “-A
RH-Firewall-1-INPUT -m tcp -p tcp -s aaa.bbb.ccc.ddd --dport 5432 -j
ACCEPT“.
I’m really confused – what other states are possible for iptables
except ESTABLISHED, RELATED or NEW? In iptables manpage is only
INVALID, but why is this state emerging?
this is a linix iptables question, not a postgres question.
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
