From: Friedrich Lobenstock <fl@fl.priv.at>
To: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: iptables denial of services
Date: Sat, 17 Apr 2004 13:13:14 +0200 [thread overview]
Message-ID: <4081114A.40808@fl.priv.at> (raw)
In-Reply-To: <Pine.LNX.4.44.0404161149300.1981-100000@filer.marasystems.com>
Henrik Nordstrom wrote on 16.04.2004 12:03 MET:
> On Thu, 15 Apr 2004, Jorge Garcia wrote:
>
>>Is this a problem in iptables firewall??i mean does iptables stop filtering after handling a lot of traffic?
>
> No, but it may start dropping packets if overloaded.
>
> If you are doing connection tracking then there is also an analogy to the
> connection flooding, where conntrack will not accept new sessions when a
> huge number of connetions is already established and this will most likely
> result in those new sessions to dropped by your firewall. But it is not a
> risk that filtering stops, only that new connections may not be accepted
> for a while. The number of sessions involved is considerably higher than
> on a server so your servers will most likely be dead long before the limit
> in conntrack can be reached.
What if the server you are talking about is a server farm? Then an iptables
gateway that does connection track on the way may as well "die" before the
servers "die" because of overload.
Can you give some details about those limits? Are there any numbers
availabe that relate that to memory/cpu/....?
--
MfG / Regards
Friedrich Lobenstock
next prev parent reply other threads:[~2004-04-17 11:13 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-15 18:31 iptables denial of services Jorge Garcia
2004-04-16 7:10 ` Ozgur AKAN
2004-04-16 10:03 ` Henrik Nordstrom
2004-04-17 11:13 ` Friedrich Lobenstock [this message]
2004-04-17 16:49 ` Henrik Nordstrom
2004-04-17 17:22 ` question regarding iptables tuning (was Re: iptables denial of services) Friedrich Lobenstock
2004-04-17 18:18 ` Henrik Nordstrom
2004-04-17 18:53 ` Friedrich Lobenstock
2004-04-17 23:49 ` Henrik Nordstrom
2004-04-17 19:08 ` Pablo Neira
2004-04-17 19:58 ` Friedrich Lobenstock
2004-04-17 20:18 ` Friedrich Lobenstock
2004-04-17 20:33 ` Martin Josefsson
2004-04-17 20:41 ` Friedrich Lobenstock
2004-04-17 20:58 ` Martin Josefsson
2004-04-17 21:13 ` Friedrich Lobenstock
2004-04-22 12:23 ` Herve Eychenne
2004-04-22 20:44 ` Friedrich Lobenstock
2004-04-18 12:55 ` Tarek W.
2004-04-18 13:29 ` Tarek W.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4081114A.40808@fl.priv.at \
--to=fl@fl.priv.at \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.