From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Jet \(jchan@trusecure.com\)" Subject: Re: Purely NAT Date: Tue, 29 Oct 2002 10:18:57 +0800 Sender: netfilter-admin@lists.netfilter.org Message-ID: <006201c27ef1$8af58700$0bc8c80a@dolphin> References: <005401c27e43$73946990$0bc8c80a@dolphin> <200210281444.g9SEime08636@vulcan.rissington.net> Reply-To: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Antony Stone , "netfilter@lists" > > How much memory is in the netfilter machine / what size is your conntrack > table / how many connections are you generating with your portscans for this > to be a problem ? This is not a matter of the number of connection generated by the portscanner. But the type of scanning option. If you turn on stateful filtering, and you try to scan a class B (or multiple class C) address using "nmap -sS", then you are in trouble. According to iptables source code, you will have to wait for five days for timeout. FYI, my machine is 64MB and I know it is default to 4K connection. I tried to increase it to 64K, and I get other process being killed (the OOM bug), sometime the machine hang. This is kernel-2.4.18. Even I put in more RAM let say 512MB/1GB. The maximum of the connection table is only 64K. (Correct me if I'm wrong). I point here is any iptables with 64K limitation on connection table can be easily DOS by a scanning (using the either "nmap -sS" or "nmap -sA" ). .//Jet