| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | BJ Freeman <bjfree(at)free-man(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: another can't connect |
| Date: | 2009-06-29 13:51:11 |
| Message-ID: | 11068.1246283471@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
BJ Freeman <bjfree(at)free-man(dot)net> writes:
> sorry about the post did not do a reply all and sent a personal replay
> yes in the chain I have
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> it is the next to last rule.
You sure that works? This notation for iptables isn't familiar to me,
but I'd have thought you have to specify the "state" module. The
comparable line in my iptables looks like
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Come to think of it, the "state NEW" test in your other line would
have to addressed to the state module as well.
BTW, usual practice is to put the established-connections rule near the
start of the chain, not the end, on the grounds that the majority of
packets the kernel will see will match this rule and so you want to test
it sooner rather than later.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-06-29 14:11:30 | Re: Slony-I timezone setting |
| Previous Message | Scott Mead | 2009-06-29 13:38:26 | Re: masking the code |