[ZODB-Dev] Re: [OT] iptables, was: Re: Re: RESOLUTION: Re: more lockup information / zope2.9.6+zodb3.6.2

Tres Seaver tseaver at palladion.com
Thu Apr 19 09:36:09 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Sabaini wrote:
> On Wednesday 18 April 2007 17:37, Tres Seaver wrote:
> 
> [snip]
> 
>> Paul continued:
>>> The biggest thing is that it is seen by some as a bug in Zope or Python
>>> since we fixed it with a keepalive.  How do we definitively clear Zeo
>>> infrastructure?  Is it somehow linked to python code not recognizing the
>>> connection loss or is this strictly an iptables issue.  Is it a bug in
>>> iptables or just a mis-configuration?
>> First, for clarity, the case we are discussing here is one in which
>> 'netstat' on the client shows that the connection to the server is open,
>> while 'netstat' on the server shows it as closed (the server's logs also
>> record the disconnect).  In such a case, Python has had no chance to
>> detect the closure:  even the *kernel* on the client machine doesn't
>> know that the connection has gone away.
>>
>> Paul has heard me on this, but just for the record:  sysadmins who
>> deploy firewalls which violate TCP in this way in the name of "security"
>> are DOS-ing themselves.  While it might be tolerable to break the
>> protocl to end abusive connections across public-facing interfaces,
>> blindly applying such a rule as a blanket policy on internal networks is
>> not competent.
> 
> Out of sheer curiosity -- how did they manage to configure iptables like this? 
> Iptables doesn't normally break connections on its own, or does it?
> 
> I ask because I also like to deploy iptables on production servers in addition 
> to the front-end firewall, and haven't had much trouble with that.

I haven't actually seen the configuration (the network admins are
playing poker with it, apparently).  We deployed the keepalive tool as
an experiment to test the hypothesis that the ZEO connection wes being
aborted uncleanly after a period of idleness:  the fact that the tool
prevents the failure doesn't *prove* that iptables is at fault, but
is strongly suggestive of it (the admins claim there is no other
firewalling going on, e.g. at a router).


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGJ3BJ+gerLs4ltQ4RAm8tAJ9nzeGp4gSVoR8JMeQ7V7B2YnwBnACeNXCH
L9rI9wuGfQz4hU3u5zC+JRo=
=mQWj
-----END PGP SIGNATURE-----

More information about the ZODB-Dev mailing list