Slansky Lukas wrote:
1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s
aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT
3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
I was wondering when these rules are not OK for our environment. It
seems that rules 1 and 2 sometimes pass packets and therefore these
packets are rejected.
After a long period of inactivity, perhaps?
If you're relying on `-m state' or `-m ctstate' you should be using a
TCP keepalive. Otherwise the connection tracking entry for the
connection will be purged after a while - how long depends on your
firewall configuration - and then packets will no longer be seen as part
of an established connection.
--
Craig Ringer
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
