> Slansky Lukas wrote: > > > 1. -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > 2. -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s > > aaa.bbb.ccc.ddd --dport 5432 -j ACCEPT > > > > 3. -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > > > > > > > I was wondering when these rules are not OK for our environment. It > > seems that rules 1 and 2 sometimes pass packets and therefore these > > packets are rejected. > > Craig Ringer wrote: > > After a long period of inactivity, perhaps? Is 15 seconds long period? I don't think so. > If you're relying on `-m state' or `-m ctstate' you should be using a > TCP keepalive. Otherwise the connection tracking entry for the I'll try to lower TCP keepa live times and make some tests. > connection will be purged after a while - how long depends on your > firewall configuration - and then packets will no longer be seen as part > of an established connection. Deleting -m state --state NEW seems to be "solution" but I'm trying to figure out origin of the problem. To John: I know it's related to iptables but this state seems to be only on PG connections :-) L. -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
