FreeBSD Router Problem

Adrian Penisoara ady at freebsd.ady.ro
Fri Mar 27 06:18:05 PDT 2009 

Hi,

On Thu, Mar 26, 2009 at 5:02 PM, Pierre Lamy <pierre at userid.org> wrote:

> states        hard limit    10000
>
> If I want to dos this box all I need to do is hold 10k tcp connections open
> in established.
>
> A 1 day default timeout for established connections is retarded, since
> virtually all client apps and OSs as well as intervening stateful firewalls
> will lose state after 1 hour. A session which is idle for more than an hour
> can't be considered to be active. Coupled with an extremely low state limit,
> and you're asking for problems. If the session is active at all before the
> session timeout is hit, the timer is reset.


I'm sorry but I have to object. Having past experience in Oracle Support for
networking issues I did see many problems with statefull firewalls which
were cutting off idle Oracle connections. The base line is: DO NOT assume
connections are dead even if they are idle for more than an hour...


>
>
> I'm not saying he's getting DOSd, but with such low limits, even a normal
> home network is going to run into problems at some point. We can see from
> the diagnostic output provided earlier that there were no issues when it was
> collected, but was it collected while there was an outage?



>
> If the problem still occurs, it may be worth scripting something to collect
> some pfctl -g -v -v -v -s all and some sysctl -a, vmstat output as well.


Well, just keep a 'pfctl -s state >/var/tmp/pf-states.txt' running in cron
every few minutes then and let's check it out...

Regards,
Adrian.


>
>
> Pierre
>
> Adrian Penisoara wrote:
>
>> Hi,
>>
>> On Wed, Mar 25, 2009 at 11:21 PM, Shawn Everett <shawn at tandac.com> wrote:
>>
>>
>>
>>> tcp.established           86400s
>>>>
>>>> ^^ This should be 3600.
>>>>
>>>> Pierre
>>>>
>>>>
>>> That's an interesting thought.  Why would that matter?
>>>
>>>
>>
>>
>> It's the PF TCP established session timeout, which defaults to 1 day. This
>> is relevant only if you see a lot of ESTABLISHED sessions in the 'pfctl -s
>> state' output, which appears not to be the case...
>>
>>
>> Regards,
>> Adrian.
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>>
>

More information about the freebsd-net mailing list