Re: Postgres database and firewall - Mailing list pgsql-admin

From Shane Ambler
Subject Re: Postgres database and firewall
Date
Msg-id 47E2A723.1030208@Sheeky.Biz
Whole thread Raw
In response to Re: Postgres database and firewall  ("Bhella Paramjeet-PFCW67" <PBhella@Motorola.com>)
List pgsql-admin
Bhella Paramjeet-PFCW67 wrote:
> Thank you very much Shane for your response. I have one more question,
> the firewall usually drops the idle connections. What can we configure
> on the database side to keep the idle connections alive. In the
> postgresql.conf file I see the parameter tcp_keepalives_idle, setting
> this parameter would be enough to keep the idle connections alive or is
> there anything else I need to be aware of. Your help will be highly
> appreciated.

If the firewall is stopping traffic when a connection is idle for too
long then you may want to look at either changing the settings on the
firewall or have the client send some trivial command on a timed basis.

I may be wrong (I haven't looked into this in detail) but I think
tcp_keepalives_idle keeps the tcp session alive when there is no traffic
it doesn't actually send traffic to keep the session active which is
what the firewall would need.

I do know that some systems will not allow a program to change this
setting so it must be done in the system config.



> Thanks
> Paramjeet Kaur
>
> -----Original Message-----
> From: Shane Ambler [mailto:pgsql@Sheeky.Biz]
> Sent: Thursday, March 20, 2008 12:48 AM
> To: Bhella Paramjeet-PFCW67
> Cc: pgsql-admin@postgresql.org
> Subject: Re: [ADMIN] Postgres database and firewall
>
> Bhella Paramjeet-PFCW67 wrote:
>> Hi
>>
>>
>> We will be setting up a production postgres database to which an
>> application will connect through a firewall. Can any one please tell
>> me if there is any configuration that needs to be done on the postgres
>
>> database side for firewall. Is there any documentation that I can
>> refer to. Any help will be appreciated.
>>
>> Thanks
>> Paramjeet Bhella
>>
>>
>
> If you are using NAT then you need port forwarding setup on the
> firewall. If not then you need to make sure it allows the pg traffic
> through.
> Your firewall docs will show how to setup that. Default port for pg is
> 5432
>
> As far as pg config goes the client ip addresses need to be allowed to
> connect. This is setup in pg_hba.conf
>
> see chapter 21
> http://www.postgresql.org/docs/8.3/interactive/client-authentication.htm
> l
>
> For connections over the internet you should configure postgresql with
> SSL support and use something like -
>
> hostssl    mydb  +usergroup  192.168.1.0/24  md5
>
>
> The problems arise if you want to allow roaming users that can have
> varying ip addresses - try to find a solution that doesn't allow any
> computer on the net to connect.
>
>
> Will you (or can you) have VPN access to the internal network?
>
>
>


--

Shane Ambler
pgSQL (at) Sheeky (dot) Biz

Get Sheeky @ http://Sheeky.Biz

pgsql-admin by date:

Previous
From: Aaron Brown
Date:
Subject: Pg_restore failing with ERROR: out of memory
Next
From: Aftab Alam
Date:
Subject: Postgres Performance