knitti wrote:
On 12/11/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:
On 2007/12/11 09:40, Marti Martinez wrote:
Yep, synproxy in your answer for OpenBSD. For linux or freebsd, try
enabling syn cookies.
synproxy works at the start of the connection, not the end.
CLOSE_WAIT is the state where the network stack waits for
the application (httpd) to close the connection after receiving
the client's FIN.
oh sorry, then I was wrong. So when client's FIN is already in, then
(depending on how long it takes), is it normal behaviour of httpd
or could it be considered a bug?
It's not a bug, but a feature I guess. It's useful for keep alive setup
and can be adjusted in httpd as well, or being turn off is that really
annoyed you. I am not recommending it however.
PF can help in making sure the connections you pass to your httpd server
are legitimate one (three way handshake) and then you can adjust the
keep alive on the httpd to reduce it if you want, or turn it off may be
in very bad cases.
Even in very worst cases, you could adjust some of pf net.inet.tcp.xxx
value to help, but I am not going there as in most cases, users will
make it way worst then better. You have to have a very busy server(s) to
start playing with these values for both/either pf and httpd keep alive.
If it is just that it annoy you to see the CLOSE_WAIT in pf as an
example, but that the httpd server is operating normally, then just let
it be.
There is also possibility to adjust PF to start limiting the states in
it's table as you start running under very heavy load, but again, that's
not for everyone. You can setup PF to expired states sooner then they
would if you reach high limits, etc.
But again, all this is for very heavy setup and servers. I could be
wrong, but I don't think that's the issue in this case.
In any case, in the interest to answer your question, you can always
read on this a bit. Adaptive options and various timeout in PF combine
with some changes in httpd.conf for keep alive will carry you a long way:
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&manpath=OpenBSD+4.2
So, if you configure PF to use some of that, then change the httpd
default for keep alive and reduce it if need be as well as making sysctl
changes, you can make a system support a hell of a lots more traffic,
but at the same time, you can shoot you in the foot pretty bad and
making it way worst as well. So, unless you really have to and oyu truly
understand each aspect of it, leaving it alone is best and simple PF
configuration alone will carry you a very long way.
There is a lots that can be done, however, when you reach this level, an
answer doesn't fit all and is really dependent on your setup.
Hope this help answering your question.
Daniel
