[OT] iptables, was: Re: [ZODB-Dev] Re: RESOLUTION: Re: more lockup information / zope2.9.6+zodb3.6.2

[Peter Sabaini]

On Wednesday 18 April 2007 17:37, Tres Seaver wrote:

[snip]

> Paul continued:
> > The biggest thing is that it is seen by some as a bug in Zope or Python
> > since we fixed it with a keepalive.  How do we definitively clear Zeo
> > infrastructure?  Is it somehow linked to python code not recognizing the
> > connection loss or is this strictly an iptables issue.  Is it a bug in
> > iptables or just a mis-configuration?
>
> First, for clarity, the case we are discussing here is one in which
> 'netstat' on the client shows that the connection to the server is open,
> while 'netstat' on the server shows it as closed (the server's logs also
> record the disconnect).  In such a case, Python has had no chance to
> detect the closure:  even the *kernel* on the client machine doesn't
> know that the connection has gone away.
>
> Paul has heard me on this, but just for the record:  sysadmins who
> deploy firewalls which violate TCP in this way in the name of "security"
> are DOS-ing themselves.  While it might be tolerable to break the
> protocl to end abusive connections across public-facing interfaces,
> blindly applying such a rule as a blanket policy on internal networks is
> not competent.

Out of sheer curiosity -- how did they manage to configure iptables like this? 
Iptables doesn't normally break connections on its own, or does it?

I ask because I also like to deploy iptables on production servers in addition 
to the front-end firewall, and haven't had much trouble with that.

 - peter.


>
> Tres.