[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: Problems with IP Filter 3.3.6 under NetBSD 1.4.2_ALPHA
From: Darren Reed <darrenr () reed ! wattle ! id ! au>
Date: 2000-02-24 10:19:15
[Download RAW message or body]
In some email I received from Uwe Klaus, sie wrote:
>
> After upgrading my firewall/gateway from NetBSD 1.4.1 to the
> NetBSD-release branch 1.4.2_ALPHA (sources from Feb 12) with ipfilter
> version 3.3.6 I got some serious problems.
>
> The firewall works fine for hours and then started to reject most
> connections.
>
> "ipfstat -s|grep ttl|wc -l" gave 2048, i.e., the maximum number of
> states held defined by IPSTATE_MAX (ip_state.h) was reached.
The head of "ipfstat -s" should show you how many are being dropped
because of this.
> Now I try a new kernel with a bigger IPSTATE_MAX.
> Is this the solution ?
Yes. If NetBSD had better sysctl support, then you wouldn't need to
but alas...
> Nevertheless, if there is a fixed upper bound of the keep-state table
> entries you can simply run into a DoS situation ?
Correct. I'd argue that is better than running out of kernel memory.
> Are there some recommendations which size should I use ?
It is completely dependant on what your usage is.
For me, the defaults are excessive, but then it's just *me*.
Darren
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic