From owner-freebsd-net@FreeBSD.ORG Thu Mar 26 17:43:13 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C22671065737 for ; Thu, 26 Mar 2009 17:43:13 +0000 (UTC) (envelope-from pierre@userid.org) Received: from mail.storm.ca (unknown [IPv6:2607:f0b0:0:6:209:87:239:66]) by mx1.freebsd.org (Postfix) with ESMTP id 52FE78FC19 for ; Thu, 26 Mar 2009 17:43:13 +0000 (UTC) (envelope-from pierre@userid.org) Received: from pandora.userid.org (pandora.userid.org [216.106.102.33]) by mail.storm.ca (8.14.2+Sun/8.14.2) with ESMTP id n2QF3HPR012185; Thu, 26 Mar 2009 11:03:23 -0400 (EDT) Received: from [192.168.100.253] (unknown [67.210.160.194]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pandora.userid.org (Postfix) with ESMTPS id 0869E295D12; Thu, 26 Mar 2009 11:02:56 -0400 (EDT) Message-ID: <49CBA72F.3020600@userid.org> Date: Thu, 26 Mar 2009 11:02:55 -0500 From: Pierre Lamy User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Adrian Penisoara References: <3650.206.108.16.89.1235691792.squirrel@alder.hosix.com> <3853.206.108.16.89.1235693214.squirrel@alder.hosix.com> <78cb3d3f0902261619t71a054fet43779c37e2981603@mail.gmail.com> <200902262341.35069.shawn@tandac.com> <49CAB28A.9030406@userid.org> <1865.206.108.16.89.1238019698.squirrel@alder.hosix.com> <78cb3d3f0903260552g372fd4b6k886bba1ebc05a77c@mail.gmail.com> In-Reply-To: <78cb3d3f0903260552g372fd4b6k886bba1ebc05a77c@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-userid-MailScanner-Information: Please contact pierre@userid.org for more information X-userid-MailScanner-ID: 0869E295D12.33646 X-userid-MailScanner: Found to be clean X-userid-MailScanner-From: pierre@userid.org X-Spam-Status: No Cc: freebsd-net@freebsd.org, Shawn Everett Subject: Re: FreeBSD Router Problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2009 17:43:16 -0000 states hard limit 10000 If I want to dos this box all I need to do is hold 10k tcp connections open in established. A 1 day default timeout for established connections is retarded, since virtually all client apps and OSs as well as intervening stateful firewalls will lose state after 1 hour. A session which is idle for more than an hour can't be considered to be active. Coupled with an extremely low state limit, and you're asking for problems. If the session is active at all before the session timeout is hit, the timer is reset. I'm not saying he's getting DOSd, but with such low limits, even a normal home network is going to run into problems at some point. We can see from the diagnostic output provided earlier that there were no issues when it was collected, but was it collected while there was an outage? If the problem still occurs, it may be worth scripting something to collect some pfctl -g -v -v -v -s all and some sysctl -a, vmstat output as well. Pierre Adrian Penisoara wrote: > Hi, > > On Wed, Mar 25, 2009 at 11:21 PM, Shawn Everett wrote: > > >>> tcp.established 86400s >>> >>> ^^ This should be 3600. >>> >>> Pierre >>> >> That's an interesting thought. Why would that matter? >> > > > It's the PF TCP established session timeout, which defaults to 1 day. This > is relevant only if you see a lot of ESTABLISHED sessions in the 'pfctl -s > state' output, which appears not to be the case... > > > Regards, > Adrian. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >