| Subject | Re: [firebird-support] Re: Whitepaper on firewall-configuration? |
|---|---|
| Author | John vd Waeter |
| Post date | 2005-08-12T11:58:17Z |
Alan McDonald wrote:
Weird, I replied, didn't show up in the maillist. Replying again and I
had to remove your adress and replace it with the groups adress... never
happended before... anyway, here's the reply again...:
Hi Alan,
There are many possible configurations, they are all related to
firewall-rules. Server behind firewall, client behind firewall, both
behind firewall...
My testserver (linux) also acts as a router/NAT-firewall to connect my
LAN to the internet. On this server, FB 1.5.2 is running. From the
inside there was no problem connecting and setting up an event-notify
connection. From the outside it was NOT possible to setup the
event-notify connection. My firewall (iptables) would accept RELATED or
ESTABLISHED traffic, but that was, appearantly, not enough.
So I changed the firewall-rules to accept any incoming traffic from the
WAN adressed to ports higher than 1023. I recall a message from someone
who said this is a normal setting for a firewall that protects a public
server. Now the event-notify-connection works.
But in this case the NAT/firewall and the FBserver are both actually the
same machine. My collegue has an FBserver in the LAN, behind a separate
firewall. I will test with him, but he is enjoying a vacation at the
moment. I will report here as soon as we've had a chance to test.
And there is that second problem that a Windows fbserver is not
resistent against impossible event-notify-connections.
If the firewall-rules do not allow an event-notify connection, the
fb-server (CS) freezes... that is, running connections keep running, but
no new connections are possible until the service is restarted. My
linuxmachine does not show this behaviour. If it cannot establish the
event-connection, it just keeps running fine, accepting other connections.
On the clientside (Windows) the application seems to hang, blocked,
waiting for an exception in the winsock? That can take a long time...
most customers use their threefinger emergency-break...
If I have more results I'll let them know!
regards
John
> John,Hi Allen again,
> Did you get this working satisfactorily?
> Alan
>
Weird, I replied, didn't show up in the maillist. Replying again and I
had to remove your adress and replace it with the groups adress... never
happended before... anyway, here's the reply again...:
Hi Alan,
There are many possible configurations, they are all related to
firewall-rules. Server behind firewall, client behind firewall, both
behind firewall...
My testserver (linux) also acts as a router/NAT-firewall to connect my
LAN to the internet. On this server, FB 1.5.2 is running. From the
inside there was no problem connecting and setting up an event-notify
connection. From the outside it was NOT possible to setup the
event-notify connection. My firewall (iptables) would accept RELATED or
ESTABLISHED traffic, but that was, appearantly, not enough.
So I changed the firewall-rules to accept any incoming traffic from the
WAN adressed to ports higher than 1023. I recall a message from someone
who said this is a normal setting for a firewall that protects a public
server. Now the event-notify-connection works.
But in this case the NAT/firewall and the FBserver are both actually the
same machine. My collegue has an FBserver in the LAN, behind a separate
firewall. I will test with him, but he is enjoying a vacation at the
moment. I will report here as soon as we've had a chance to test.
And there is that second problem that a Windows fbserver is not
resistent against impossible event-notify-connections.
If the firewall-rules do not allow an event-notify connection, the
fb-server (CS) freezes... that is, running connections keep running, but
no new connections are possible until the service is restarted. My
linuxmachine does not show this behaviour. If it cannot establish the
event-connection, it just keeps running fine, accepting other connections.
On the clientside (Windows) the application seems to hang, blocked,
waiting for an exception in the winsock? That can take a long time...
most customers use their threefinger emergency-break...
If I have more results I'll let them know!
regards
John