SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-22-2008, 12:28 PM
| ||||
| ||||
 Re: PF State Expiration Model for Huge Amount of States * C?dric Berger <cedric@berger.to> [2006-05-19 12:18]: > >However, a bigger problem is that at least the OpenBSD 3.8 code can't > >keep the backup firewall state table synchronized with the master > >firewall because of this effect, even though CPU is 80% idle. The > >biggest problems are the TCP connections for which the closing sync > >updates are lost. They end up living long time in the backup firewall, > >and should failover happen, they cause a lot of state-mismatch blocks > >for new connections which are reusing the same TCP ports. > > I'm mostly thinking out loud here, but wouldn't it make sense to at > least have an option to make new connections replace old ones in case > of mismatches like that? and then you've created the perfect DoS. just send a forged packet that gets IPs & ports right, and, kaboom, legit state gone. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)      |
 |
« Re: PF State Expiration Model for Huge Amount of States
|
Re: PF State Expiration Model for Huge Amount of States »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 02:48 AM.
