On Wednesday 18 April 2007 17:37, Tres Seaver wrote: [snip]
> Paul continued: > > The biggest thing is that it is seen by some as a bug in Zope or Python > > since we fixed it with a keepalive. How do we definitively clear Zeo > > infrastructure? Is it somehow linked to python code not recognizing the > > connection loss or is this strictly an iptables issue. Is it a bug in > > iptables or just a mis-configuration? > > First, for clarity, the case we are discussing here is one in which > 'netstat' on the client shows that the connection to the server is open, > while 'netstat' on the server shows it as closed (the server's logs also > record the disconnect). In such a case, Python has had no chance to > detect the closure: even the *kernel* on the client machine doesn't > know that the connection has gone away. > > Paul has heard me on this, but just for the record: sysadmins who > deploy firewalls which violate TCP in this way in the name of "security" > are DOS-ing themselves. While it might be tolerable to break the > protocl to end abusive connections across public-facing interfaces, > blindly applying such a rule as a blanket policy on internal networks is > not competent. Out of sheer curiosity -- how did they manage to configure iptables like this? Iptables doesn't normally break connections on its own, or does it? I ask because I also like to deploy iptables on production servers in addition to the front-end firewall, and haven't had much trouble with that. - peter. > > Tres. _______________________________________________ For more information about ZODB, see the ZODB Wiki: http://www.zope.org/Wikis/ZODB/ ZODB-Dev mailing list - ZODB-Dev@zope.org http://mail.zope.org/mailman/listinfo/zodb-dev