> The firewall seems to affect the database communications negatively and
> months of test proves that.
>
> I have to do one of following:
> 1. Solve the problem with the firewall so that it does not disrupt the
> database communications.
> (Tons of broken pipes to the remote database etc. I use a pool that
> hands out connections
> and revives "dead" connections but after a while - it all dies. I know
> that tcp times out
> but I renew all conenctions BEFORE that with a special thread. Accessing
> same data from
> a machine on same subnet works without ANY errors. So I guess it has to
> be problem
> with "leaving" the subnet. Or ...?)
>
You should analyse the nature of the problem you're experiencing. Something
is terribly misconfigured..
> 2. Move the database.
>
> My questions:
> 1. Suggestions as far as the firewall/database problem anyone?
>
We need more information. What kind of rules are defined on the ipchains
box? Are you using IP masquerading? What protocol and ports are used by the
database app. and what sort of connections are established?
> 2. I might have to solve the problem by moving the database.
> Even if there is a risk by doing so - I might have to.
>
You should try to fix your problem first, though. An ipchains box is nothing
but a packet filtering router, it shouldn't give you any of the problems you
mention. Unless you're masquerading..
> My idea was
> a) to use double nics in the database server
> one connected to the DMZ and one to the local net. Config of DMZ-nic on
> database server to that it is part of DMZ
> b) Config the firewall so that ALL access to the database machine via
> DMZ is DENIED
> on all ports.
> c) Setup tcp wrappers on database server to allow only web server comm
> via
> NIC connected to DMZ
>
Oh no, you don't! Can you spell 'potential firewall circumvention'? You're
connecting internal network and the DMZ, you might almost just as well ditch
the DMZ altogether if you're going to do that.
> If I only have one database server - what do you guys suggest?
>
Well, you should try to solve the real problem. Another possibility would
involve you setting up a second DB server in the DMZ or, as I'd prefer, in a
separate DMZ, that replicates only the necessary data from the primary
server on the internal network (and you'd prefer to push the data to the DMZ
DB server from the internal network, if possible).
HTH
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
