SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 08:38 AM
| ||||
| ||||
 Re: PF State Expiration Model for Huge Amount of States Henning Brauer wrote: > * C?dric Berger <cedric@berger.to> [2006-05-19 12:18]: >>> However, a bigger problem is that at least the OpenBSD 3.8 code can't >>> keep the backup firewall state table synchronized with the master >>> firewall because of this effect, even though CPU is 80% idle. The >>> biggest problems are the TCP connections for which the closing sync >>> updates are lost. They end up living long time in the backup firewall, >>> and should failover happen, they cause a lot of state-mismatch blocks >>> for new connections which are reusing the same TCP ports. >> I'm mostly thinking out loud here, but wouldn't it make sense to at >> least have an option to make new connections replace old ones in case >> of mismatches like that? > > and then you've created the perfect DoS. just send a forged packet that > gets IPs & ports right, and, kaboom, legit state gone. Ok, right. Actually, I was thinking about doing that only if: 1) The "old state" has been created through PFSync 2) No packet ever matched the "old state" on that firewall. Now, wouldn't it be possible to do that replacement only if the 3-way handshake succeed, since the problem is severe only in tcp-land anyway? What I mean is that a new TCP connection with same IP/port would be allowed in parallel to the "old state", and would actually remove and replace the old one only if the 3-way handshake succeed? Of course, an alternative would be to make pfsync protocol reliable... Cedric      |
 |
« memory leak in lan1641 under OpenBSD 3.8?
|
Re: PF State Expiration Model for Huge Amount of States »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 12:58 PM.
