Hi, On Thu, Mar 26, 2009 at 5:02 PM, Pierre Lamy <pie...@userid.org> wrote:
> states hard limit 10000 > > If I want to dos this box all I need to do is hold 10k tcp connections open > in established. > > A 1 day default timeout for established connections is retarded, since > virtually all client apps and OSs as well as intervening stateful firewalls > will lose state after 1 hour. A session which is idle for more than an hour > can't be considered to be active. Coupled with an extremely low state limit, > and you're asking for problems. If the session is active at all before the > session timeout is hit, the timer is reset. I'm sorry but I have to object. Having past experience in Oracle Support for networking issues I did see many problems with statefull firewalls which were cutting off idle Oracle connections. The base line is: DO NOT assume connections are dead even if they are idle for more than an hour... > > > I'm not saying he's getting DOSd, but with such low limits, even a normal > home network is going to run into problems at some point. We can see from > the diagnostic output provided earlier that there were no issues when it was > collected, but was it collected while there was an outage? > > If the problem still occurs, it may be worth scripting something to collect > some pfctl -g -v -v -v -s all and some sysctl -a, vmstat output as well. Well, just keep a 'pfctl -s state >/var/tmp/pf-states.txt' running in cron every few minutes then and let's check it out... Regards, Adrian. > > > Pierre > > Adrian Penisoara wrote: > >> Hi, >> >> On Wed, Mar 25, 2009 at 11:21 PM, Shawn Everett <sh...@tandac.com> wrote: >> >> >> >>> tcp.established 86400s >>>> >>>> ^^ This should be 3600. >>>> >>>> Pierre >>>> >>>> >>> That's an interesting thought. Why would that matter? >>> >>> >> >> >> It's the PF TCP established session timeout, which defaults to 1 day. This >> is relevant only if you see a lot of ESTABLISHED sessions in the 'pfctl -s >> state' output, which appears not to be the case... >> >> >> Regards, >> Adrian. >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" >> >> > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
