From: Mohamed Eldesoky <eldesoky.lists@gmail.com>
To: monz@danbbs.dk
Cc: netfilter <netfilter@lists.netfilter.org>,
"Taylor, Grant" <gtaylor@riverviewtech.net>
Subject: Re: TCP_CONNTRACK_ESTABLISHED 5days
Date: Tue, 3 May 2005 11:23:48 +0300 [thread overview]
Message-ID: <1403218a0505030123f2e857c@mail.gmail.com> (raw)
In-Reply-To: <42764CF2.9060503@danbbs.dk>
On 5/2/05, Mogens Valentin <monz@danbbs.dk> wrote:
> Taylor, Grant wrote:
> >> Moritz, thanks for pointing that out.
> >> Your suggested 10 minutes seems a bit short, though..
> >
> >
> > I would not set ip_conntrack_tcp_timeout_established to any thing lower
> > than tcp_fin_timeout. I would be tempted to set
> > ip_conntrack_tcp_timeout_established to approximately double what
> > tcp_fin_timeout is set to. I don't know of any reason that conntrack
> > would need to keep things for twice tcp_fin_timeout, but I'd rather be
> > safe than sorry. Besides even double of tcp_fin_timeout is CONSIDERABLY
> > less than 5 days.
>
> Hmm, dunno if various distros set tcp_fin_timeout differently.
> With 2.6.10, it's 60 secs (not a distro kernel, and I didn't set this).
> Are you saying that Mouritz' 10mins will in some (distro?) cases violate
> ip_conntrack_tcp_timeout_established >= tcp_fin_timeout * 2 ?
>
In debian3.1 it is 5 days too !!!
The question now, what troubles would happen if we kep it/changed it !?!?!
> Anyway, /usr/src/linux/Documentation/filesystems/proc.txt says
>
> tcp_fin_timeout
> ---------------
> The length of time in seconds it takes to receive a final FIN before the
> socket is always closed. This is strictly a violation of the TCP
> specification, but required to prevent denial-of-service attacks.
>
> I'm having trouble understanding the 'strictly a violation' part.
> Is it a (iana) crime to define tcp_fin_timeout?
>
> --
> Kind regards,
> Mogens Valentin
>
>
--
Mohamed Eldesoky
www.eldesoky.net
RHCE
next prev parent reply other threads:[~2005-05-03 8:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-02 13:32 TCP_CONNTRACK_ESTABLISHED 5days Mogens Valentin
2005-05-02 14:10 ` Mogens Valentin
2005-05-02 14:19 ` Moritz Gartenmeister
2005-05-02 14:31 ` Taylor, Grant
2005-05-02 15:53 ` Mogens Valentin
2005-05-02 16:05 ` Taylor, Grant
2005-05-03 8:23 ` Mohamed Eldesoky [this message]
2005-05-03 10:48 ` Mogens Valentin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1403218a0505030123f2e857c@mail.gmail.com \
--to=eldesoky.lists@gmail.com \
--cc=gtaylor@riverviewtech.net \
--cc=monz@danbbs.dk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.