Skip site navigation (1) Skip section navigation (2)

Re: Postgres database and firewall

From: Shane Ambler <pgsql(at)Sheeky(dot)Biz>
To: Bhella Paramjeet-PFCW67 <PBhella(at)Motorola(dot)com>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: Postgres database and firewall
Date: 2008-03-20 18:04:19
Message-ID: 47E2A723.1030208@Sheeky.Biz (view raw, whole thread or download thread mbox)
Lists: pgsql-admin
Bhella Paramjeet-PFCW67 wrote:
> Thank you very much Shane for your response. I have one more question,
> the firewall usually drops the idle connections. What can we configure
> on the database side to keep the idle connections alive. In the
> postgresql.conf file I see the parameter tcp_keepalives_idle, setting
> this parameter would be enough to keep the idle connections alive or is
> there anything else I need to be aware of. Your help will be highly
> appreciated.

If the firewall is stopping traffic when a connection is idle for too 
long then you may want to look at either changing the settings on the 
firewall or have the client send some trivial command on a timed basis.

I may be wrong (I haven't looked into this in detail) but I think 
tcp_keepalives_idle keeps the tcp session alive when there is no traffic 
it doesn't actually send traffic to keep the session active which is 
what the firewall would need.

I do know that some systems will not allow a program to change this 
setting so it must be done in the system config.

> Thanks
> Paramjeet Kaur
> -----Original Message-----
> From: Shane Ambler [mailto:pgsql(at)Sheeky(dot)Biz] 
> Sent: Thursday, March 20, 2008 12:48 AM
> To: Bhella Paramjeet-PFCW67
> Cc: pgsql-admin(at)postgresql(dot)org
> Subject: Re: [ADMIN] Postgres database and firewall
> Bhella Paramjeet-PFCW67 wrote:
>> Hi
>> We will be setting up a production postgres database to which an 
>> application will connect through a firewall. Can any one please tell 
>> me if there is any configuration that needs to be done on the postgres
>> database side for firewall. Is there any documentation that I can 
>> refer to. Any help will be appreciated.
>> Thanks
>> Paramjeet Bhella
> If you are using NAT then you need port forwarding setup on the
> firewall. If not then you need to make sure it allows the pg traffic
> through.
> Your firewall docs will show how to setup that. Default port for pg is
> 5432
> As far as pg config goes the client ip addresses need to be allowed to
> connect. This is setup in pg_hba.conf
> see chapter 21
> l
> For connections over the internet you should configure postgresql with
> SSL support and use something like -
> hostssl    mydb  +usergroup  md5
> The problems arise if you want to allow roaming users that can have
> varying ip addresses - try to find a solution that doesn't allow any
> computer on the net to connect.
> Will you (or can you) have VPN access to the internal network?


Shane Ambler
pgSQL (at) Sheeky (dot) Biz

Get Sheeky @ http://Sheeky.Biz

In response to

pgsql-admin by date

Next:From: Marc FrommDate: 2008-03-20 18:41:09
Subject: create db from a template
Previous:From: Bhella Paramjeet-PFCW67Date: 2008-03-20 17:12:54
Subject: Re: Postgres database and firewall

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group