Re: ip contrack problem, not strictly followed RFC, DoS very much possible

[Willy Tarreau]

On Mon, Dec 06, 2004 at 02:54:59PM +0100, Grzegorz Piotr Jaskiewicz wrote:
 
> If someone has argumentation for 5 days timeout, please speak out. In 
> everyday life, router, desktop, server usage 100s is enough there, and 
> makes my life easier, as many other linux admins.

Uhh ?

please try to start 4 xterms through your firewall, then work for 100s in
one of them, then only start to use anyone of the other ones. If it's hung,
maybe you'll remember how low you put the timeout, and think about all those
users coming to you complaining that they only have to stop typing to talk
to someone before they find their xemacs, xterms, etc... dead.

I've seen several firewalls which caused trouble by breaking connections
after 2 hours of idle, while applications used a default keep-alive of 4
hours. Eventhough 5 days may seem a bit long for some usages (eg: frontal
web servers), several hours is not that much for internal firewalls.

Willy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/