Re: Purely NAT - Jet (jchan@trusecure.com)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Jet \(jchan@trusecure.com\)" <yenjet.chan@eglobal.com.my>
To: Antony Stone <Antony@Soft-Solutions.co.uk>,
	"netfilter@lists" <netfilter@lists.netfilter.org>
Subject: Re: Purely NAT
Date: Tue, 29 Oct 2002 10:18:57 +0800	[thread overview]
Message-ID: <006201c27ef1$8af58700$0bc8c80a@dolphin> (raw)
In-Reply-To: 200210281444.g9SEime08636@vulcan.rissington.net

>
> How much memory is in the netfilter machine / what size is your conntrack
> table / how many connections are you generating with your portscans for
this
> to be a problem ?

This is not a matter of the number of connection generated by the
portscanner.
But the type of scanning option.
If you turn on stateful filtering, and you try to scan a class B (or
multiple class C) address
using "nmap -sS", then you are in trouble.

According to iptables source code, you will have to wait for five days for
timeout.

FYI, my machine is 64MB and I know it is default to 4K connection. I tried
to increase it
to 64K, and I get other process being killed (the OOM bug), sometime the
machine hang.
This is kernel-2.4.18.

Even I put in more RAM let say 512MB/1GB. The maximum of the connection
table is
only 64K. (Correct me if I'm wrong).
I point here is any iptables with 64K limitation on connection table can be
easily
DOS by a scanning (using the either "nmap -sS" or "nmap -sA" ).

.//Jet

next prev parent reply	other threads:[~2002-10-29  2:18 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-10-28  5:32 Purely NAT Jet (jchan@trusecure.com)
2002-10-28 14:44 ` Antony Stone
2002-10-28 18:37   ` Anthony Liu
2002-10-28 18:43     ` Antony Stone
2002-10-29  2:18   ` Jet (jchan@trusecure.com) [this message]
2002-10-29  4:43 ` Alexey Talikov
2002-10-29  5:26   ` Jet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='006201c27ef1$8af58700$0bc8c80a@dolphin' \
    --to=yenjet.chan@eglobal.com.my \
    --cc=Antony@Soft-Solutions.co.uk \
    --cc=jchan@trusecure.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.