Re: ip contrack problem, not strictly followed RFC, DoS very muchpossible

From: Baruch Even
Date: Mon Dec 06 2004 - 09:33:44 EST


Grzegorz Piotr Jaskiewicz wrote:
If someone has argumentation for 5 days timeout, please speak out. In everyday life, router, desktop, server usage 100s is enough there, and makes my life easier, as many other linux admins.

1. The correct value is 5 days for the case of long idle connections, there are such things, and there is no reason to force such connections to do keepalive every 100 seconds to stay alive.

2. You can change it in your firewall in /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

Baruch
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/