Sorry for the delay, you took me out of the To: listing, so the message
just went into my lists box, which I didn't get to until today.
On Fri, 14 Oct 2005, Nicolas KOWALSKI wrote:
Assuming that port reuse is the problem, there is no quick fix for
this, just resetting connections when a SYN comes in would be a
really big security problem.
Really? Are Linux and Solaris that insecure because of this behaviour?
Not necessarily - there are a bunch of different ways to handle the
situation better than we do at present. I don't know how Solaris/Linux do
it right now, nor have I had time to implement an improvement for FreeBSD.
Maybe in January I'll have time.
Actually, there may be a quick fix for this specific machine. If you
set net.inet.tcp.keepidle to 1 minute (60*whatever kern.hz is),
that'll cause keepalive packets to be sent every minute to an idle
connection, rather than every 2 hours. That would kill the stuck
connections much quicker.
Unfortunately, this does not work as expected. I just tested with my
workstation (Linux 2.6), with NFS filesystems mounted with TCP; when
the station rebooted abruptely, mounting the same NFS filesystems hung
more than 1 minute (15 minutes just now). During this hang, I saw on
the server, using netstat, the nfsd process related to my workstation
in ESTABLISHED state.
Any other tip?
Many Thanks in advance,
--
Nicolas
Ok, I have one other quick fix idea, but it's a bit crazy. ipfw is
supposed to send keepalive packets when rules go idle and are about to
expire. So, if you make a keep-state rule for incoming connections, then
maybe ipfw would somehow close down the dead connection.
Mike "Silby" Silbersack
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
