On Jun 20, 2010, at 22:01 , Kevin Grittner wrote:
> "Joshua D. Drake"  wrote:
> 
>> Can someone tell me what we are going to do about firewalls that
>> impose their own rules outside of the control of the DBA?
> 
> Has anyone actually seen a firewall configured for something so
> stupid as to allow *almost* all the various packets involved in using
> a TCP connection, but which suppressed just keepalive packets?  That
> seems to be what you're suggesting is the risk; it's an outlandish
> enough suggestion that I think the burden of proof is on you to show
> that it happens often enough to make this a worthless change.

Yeah, especially since there is no such thing as a special "keepalive" packet 
in TCP. Keepalive simply sends packets with zero bytes of payload every once in 
a while if the connection is otherwise inactive. If those aren't acknowledged 
(like every other packet would be) by the peer, the connection is assumed to be 
broken. On a reasonably active connection, keepalive neither causes additional 
transmissions, nor altered transmissions.

Keepalive is therefore extremely unlikely to break things - in the very worst 
case, a (really, really stupid) firewall might decide to drop packets with zero 
bytes of payload, causing inactive connections to abort after a while. AFAIK 
walreceiver will simply reconnect in this case. 

Plus, the postmaster enables keepalive on all incoming connections *already*, 
so any problems ought to have caused bugreports about dropped client 
connections.

best regards,
Florian Pflug


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to