>>Seems syncookies are off by default? Yesk, we should enable them !
----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 3 Mars 2014 17:28:44 Objet: RE: pvefw: using ctmark to associacte connections to VMs > > > I don't known if we can setup a really high value by default ? > > > > no idea, sorry. > > > > > Also, it's seem that another option must be tune, > > > > > > /etc/modprobe.conf: > > > > > > options ip_conntrack hashsize=32768 > > > > > > > > > I need to read a little more about it > > > > Does that mean that everybody can start a DOS attack by simply > > open(faking) 64000 tcp connections? > > http://tools.ietf.org/html/rfc4987 > > So what can we do to prevent that? Seems syncookies are off by default? # cat /proc/sys/net/ipv4/tcp_syncookies 0 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
