Date: Fri, 27 Mar 2009 14:18:02 +0100 From: Adrian Penisoara <ady@freebsd.ady.ro> To: Pierre Lamy <pierre@userid.org> Cc: freebsd-net@freebsd.org, Shawn Everett <shawn@tandac.com> Subject: Re: FreeBSD Router Problem Message-ID: <78cb3d3f0903270618u229986c1idddd0e5548444c60@mail.gmail.com> In-Reply-To: <49CBA72F.3020600@userid.org> References: <3650.206.108.16.89.1235691792.squirrel@alder.hosix.com> <3853.206.108.16.89.1235693214.squirrel@alder.hosix.com> <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> <200902262341.35069.shawn@tandac.com> <49CAB28A.9030406@userid.org> <1865.206.108.16.89.1238019698.squirrel@alder.hosix.com> <78cb3d3f0903260552g372fd4b6k886bba1ebc05a77c@mail.gmail.com> <49CBA72F.3020600@userid.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Thu, Mar 26, 2009 at 5:02 PM, Pierre Lamy <pierre@userid.org> wrote: > states hard limit 10000 > > If I want to dos this box all I need to do is hold 10k tcp connections open > in established. > > A 1 day default timeout for established connections is retarded, since > virtually all client apps and OSs as well as intervening stateful firewalls > will lose state after 1 hour. A session which is idle for more than an hour > can't be considered to be active. Coupled with an extremely low state limit, > and you're asking for problems. If the session is active at all before the > session timeout is hit, the timer is reset. I'm sorry but I have to object. Having past experience in Oracle Support for networking issues I did see many problems with statefull firewalls which were cutting off idle Oracle connections. The base line is: DO NOT assume connections are dead even if they are idle for more than an hour... > > > I'm not saying he's getting DOSd, but with such low limits, even a normal > home network is going to run into problems at some point. We can see from > the diagnostic output provided earlier that there were no issues when it was > collected, but was it collected while there was an outage? > > If the problem still occurs, it may be worth scripting something to collect > some pfctl -g -v -v -v -s all and some sysctl -a, vmstat output as well. Well, just keep a 'pfctl -s state >/var/tmp/pf-states.txt' running in cron every few minutes then and let's check it out... Regards, Adrian. > > > Pierre > > Adrian Penisoara wrote: > >> Hi, >> >> On Wed, Mar 25, 2009 at 11:21 PM, Shawn Everett <shawn@tandac.com> wrote: >> >> >> >>> tcp.established 86400s >>>> >>>> ^^ This should be 3600. >>>> >>>> Pierre >>>> >>>> >>> That's an interesting thought. Why would that matter? >>> >>> >> >> >> It's the PF TCP established session timeout, which defaults to 1 day. This >> is relevant only if you see a lot of ESTABLISHED sessions in the 'pfctl -s >> state' output, which appears not to be the case... >> >> >> Regards, >> Adrian. >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78cb3d3f0903270618u229986c1idddd0e5548444c60>