On Sun, Jun 20, 2010 at 03:01:04PM -0500, Kevin Grittner wrote:
> "Joshua D. Drake" wrote:
>
> > Can someone tell me what we are going to do about firewalls that
> > impose their own rules outside of the control of the DBA?
>
> Has anyone actually seen a firewall configured for something so
> stupid as to allow *almost* all the various packets involved in using
> a TCP connection, but which suppressed just keepalive packets? That
> seems to be what you're suggesting is the risk; it's an outlandish
> enough suggestion that I think the burden of proof is on you to show
> that it happens often enough to make this a worthless change.
>
> -Kevin
>
I have seen this sort of behavior but in every case it has been
the result of a myopic view of firewall/IP tables solutions to
perceived "attacks". While I do agree that having heartbeat
within the replication process it worthwhile, it should definitely
be 9.1 material at best. For 9.0 such ill-behaved environments
will need much more interaction by the DBA with monitoring and
triage of problems as they arrive.
Regards,
Ken
P.S. My favorite example of odd behavior was preemptively dropping
TCP packets in one direction only at a single port. Many, many
odd things happen when the kernel does not know that the packet
would never make it to it destination. Services would sometimes
run for weeks without a problem depending on when the port ended
up being used invariably at night or on the weekend.
