Re: FreeBSD Router Problem

Hi,

On Thu, Mar 26, 2009 at 5:02 PM, Pierre Lamy <pierre@xxxxxxxxxx> wrote:

states hard limit 10000

If I want to dos this box all I need to do is hold 10k tcp connections open
in established.

A 1 day default timeout for established connections is retarded, since
virtually all client apps and OSs as well as intervening stateful firewalls
will lose state after 1 hour. A session which is idle for more than an hour
can't be considered to be active. Coupled with an extremely low state limit,
and you're asking for problems. If the session is active at all before the
session timeout is hit, the timer is reset.


I'm sorry but I have to object. Having past experience in Oracle Support for
networking issues I did see many problems with statefull firewalls which
were cutting off idle Oracle connections. The base line is: DO NOT assume
connections are dead even if they are idle for more than an hour...




I'm not saying he's getting DOSd, but with such low limits, even a normal
home network is going to run into problems at some point. We can see from
the diagnostic output provided earlier that there were no issues when it was
collected, but was it collected while there was an outage?




If the problem still occurs, it may be worth scripting something to collect
some pfctl -g -v -v -v -s all and some sysctl -a, vmstat output as well.


Well, just keep a 'pfctl -s state >/var/tmp/pf-states.txt' running in cron
every few minutes then and let's check it out...

Regards,
Adrian.




Pierre

Adrian Penisoara wrote:

Hi,

On Wed, Mar 25, 2009 at 11:21 PM, Shawn Everett <shawn@xxxxxxxxxx> wrote:



tcp.established 86400s

^^ This should be 3600.

Pierre


That's an interesting thought. Why would that matter?




It's the PF TCP established session timeout, which defaults to 1 day. This
is relevant only if you see a lot of ESTABLISHED sessions in the 'pfctl -s
state' output, which appears not to be the case...


Regards,
Adrian.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"



_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Application Pool timouts.
    ... a) From what i understand, the application pool timeout is the timeout for ... an idle session which is created by a browser. ... is idle for 20 minutes or longer the problems occur. ... Application Pool's w3wp.exe process to be shutdown by IIS when no requests ...
    (microsoft.public.inetserver.iis.security)
  • Re: Terminal Services Idle Timeout
    ... Idle timer expired: Session has been idle over its time limit. ... If so then the idle timeout is set somewhere else. ... The users may not have noticed the popup window, ...
    (microsoft.public.windows.terminal_services)
  • XP SP2 Firewall idle timeout value for excepted apps
    ... Does the newly released firewall have a default idle ... timeout value for "excepted" applications? ... logging is showing my connections being dropped after @ ...
    (microsoft.public.windowsxp.security_admin)
  • Cisco IOS IPS issue
    ... connecting to an MPLS cloud with about 40 sites and on my Gi0/1 port I ... After enabling IPS on the Gi0/0 outbound interface, ... session thresholds are well below max connection limits. ... max-incomplete tcp connections per host is 100000. ...
    (comp.dcom.sys.cisco)
  • RE: [PHP] Re: Understanding persistent connections with oci8
    ... persistent connections per server and the timeout interval. ... may outside of php used. ... that's an over-simplification of the purpose of "persistent" ...
    (php.general)