[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

problem with keep state limit

To: "'misc@openbsd.org'" <misc@openbsd.org>
Subject: problem with keep state limit
From: Jirásek Vladimír <JirasekV@Radiomobil.cz>
Date: Tue, 5 Dec 2000 13:29:29 +0100

Hello,

I have version OpenBSD xxx 2.7 compile#0 i386, with ipf -V      
ipf: IP Filter: v3.3.16 (184)
Kernel: IP Filter: v3.3.16

I have about 5 systems behind firewall and I use 4 ipf rules with keep state
like
pass in quick on xxxx proto tcp from any to IP flags S/SA keep state

The fifth server is very loaded (100 incoming TCP sessions per second -
email server) and when I changed rule to also use keep state, openBSD
started send ICMP host IP unreachable to the Internet users, passing only
some traffic (like shaping). ipfstat -s shows that there are abou 2000
concurent TCP sessions. Is too much?

I had to change ipf.rules to explicitly allow incoming and outgoing packets
on each interface (so not to use keep state).

Does anobody have any solution?

Thank you.


Vladimír Jirásek
IT Security Administration, C731
RadioMobil, a.s.
+420603402718

Follow-Ups:
- Re: problem with keep state limit
  - From: Rémi Guyomarch <rguyom@pobox.com>

Prev by Date: Re: mad mad interrupts(bridging)
Next by Date: Re: Compile probs with qt2 & 2.8
Prev by thread: Re: IP forwarding
Next by thread: Re: problem with keep state limit
Index(es):
- Date
- Thread