On Wed, May 6, 2009 at 3:47 AM, Craig Ringer <craig@xxxxxxxxxxxxxxxxxxxxx> wrote: > Slansky Lukas wrote: > >> 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s >> aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT >> >> 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> >> I was wondering when these rules are not OK for our environment. It seems >> that rules 1 and 2 sometimes pass packets and therefore these packets are >> rejected. > > After a long period of inactivity, perhaps? > > If you're relying on `-m state' or `-m ctstate' you should be using a TCP > keepalive. Otherwise the connection tracking entry for the connection will > be purged after a while - how long depends on your firewall configuration - > and then packets will no longer be seen as part of an established > connection. small addendum: i bet this is the problem. You can configure server keepalives in postgresql.conf. I'd suggest two minutes (tcp_keepalives_idle=120) . merlin -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
