Re: Firewall Security Requirements for Postgresql Access - Mailing list pgsql-general

From Greg Stark
Subject Re: Firewall Security Requirements for Postgresql Access
Date
Msg-id 87656ppspo.fsf@stark.xeocode.com
Whole thread Raw
In response to Re: Firewall Security Requirements for Postgresql Access  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-general
Tom Lane <tgl@sss.pgh.pa.us> writes:

> Postgres does enable TCP "keepalive" to prevent idle connections from dying,
> but most kernels only send keepalive probes every hour or so. (The TCP RFCs
> actually specify how often to do this, IIRC.)

RFC 1122 4.2.3.6:

            Keep-alive packets MUST only be sent when no data or
            acknowledgement packets have been received for the
            connection within an interval.  This interval MUST be
            configurable and MUST default to no less than two hours.

> If the firewall drops idle connections after less than the TCP keepalive
> interval, you got trouble.

Of course it really ought to wait at least some reasonable multiple of the
keepalive interval since either the data or the ack could get dropped. In fact
dropping connections after only a single keepalive being dropped is explicitly
prohibited:

            It is extremely important to remember that ACK segments that
            contain no data are not reliably transmitted by TCP.
            Consequently, if a keep-alive mechanism is implemented it
            MUST NOT interpret failure to respond to any specific probe
            as a dead connection.

Of course NAT violates uncounted RFCs in the first place. But if you're going
to do NAT you usually really want the timeouts to be on the order of days, not
hours.

--
greg

pgsql-general by date:

Previous
From: Tom Lane
Date:
Subject: Re: Firewall Security Requirements for Postgresql Access
Next
From: Jerome Lyles
Date:
Subject: Re: Postgresql and scripting