Date: Thu, 26 Mar 2009 11:02:55 -0500 From: Pierre Lamy <pierre@userid.org> To: Adrian Penisoara <ady@freebsd.ady.ro> Cc: freebsd-net@freebsd.org, Shawn Everett <shawn@tandac.com> Subject: Re: FreeBSD Router Problem Message-ID: <49CBA72F.3020600@userid.org> In-Reply-To: <78cb3d3f0903260552g372fd4b6k886bba1ebc05a77c@mail.gmail.com> References: <3650.206.108.16.89.1235691792.squirrel@alder.hosix.com> <3853.206.108.16.89.1235693214.squirrel@alder.hosix.com> <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> <200902262341.35069.shawn@tandac.com> <49CAB28A.9030406@userid.org> <1865.206.108.16.89.1238019698.squirrel@alder.hosix.com> <78cb3d3f0903260552g372fd4b6k886bba1ebc05a77c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
states hard limit 10000 If I want to dos this box all I need to do is hold 10k tcp connections open in established. A 1 day default timeout for established connections is retarded, since virtually all client apps and OSs as well as intervening stateful firewalls will lose state after 1 hour. A session which is idle for more than an hour can't be considered to be active. Coupled with an extremely low state limit, and you're asking for problems. If the session is active at all before the session timeout is hit, the timer is reset. I'm not saying he's getting DOSd, but with such low limits, even a normal home network is going to run into problems at some point. We can see from the diagnostic output provided earlier that there were no issues when it was collected, but was it collected while there was an outage? If the problem still occurs, it may be worth scripting something to collect some pfctl -g -v -v -v -s all and some sysctl -a, vmstat output as well. Pierre Adrian Penisoara wrote: > Hi, > > On Wed, Mar 25, 2009 at 11:21 PM, Shawn Everett <shawn@tandac.com> wrote: > > >>> tcp.established 86400s >>> >>> ^^ This should be 3600. >>> >>> Pierre >>> >> That's an interesting thought. Why would that matter? >> > > > It's the PF TCP established session timeout, which defaults to 1 day. This > is relevant only if you see a lot of ESTABLISHED sessions in the 'pfctl -s > state' output, which appears not to be the case... > > > Regards, > Adrian. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49CBA72F.3020600>