On Wednesday 18 April 2007 17:37, Tres Seaver wrote:
> Paul continued:
> > The biggest thing is that it is seen by some as a bug in Zope or Python
> > since we fixed it with a keepalive. How do we definitively clear Zeo
> > infrastructure? Is it somehow linked to python code not recognizing the
> > connection loss or is this strictly an iptables issue. Is it a bug in
> > iptables or just a mis-configuration?
> First, for clarity, the case we are discussing here is one in which
> 'netstat' on the client shows that the connection to the server is open,
> while 'netstat' on the server shows it as closed (the server's logs also
> record the disconnect). In such a case, Python has had no chance to
> detect the closure: even the *kernel* on the client machine doesn't
> know that the connection has gone away.
> Paul has heard me on this, but just for the record: sysadmins who
> deploy firewalls which violate TCP in this way in the name of "security"
> are DOS-ing themselves. While it might be tolerable to break the
> protocl to end abusive connections across public-facing interfaces,
> blindly applying such a rule as a blanket policy on internal networks is
> not competent.
Out of sheer curiosity -- how did they manage to configure iptables like this?
Iptables doesn't normally break connections on its own, or does it?
I ask because I also like to deploy iptables on production servers in addition
to the front-end firewall, and haven't had much trouble with that.
For more information about ZODB, see the ZODB Wiki:
ZODB-Dev mailing list - ZODB-Dev@zope.org