From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: TCP_CONNTRACK_ESTABLISHED 5days
Date: Mon, 02 May 2005 11:05:30 -0500 [thread overview]
Message-ID: <42764FCA.9070405@riverviewtech.net> (raw)
In-Reply-To: <42764CF2.9060503@danbbs.dk>
> Hmm, dunno if various distros set tcp_fin_timeout differently.
> With 2.6.10, it's 60 secs (not a distro kernel, and I didn't set this).
> Are you saying that Mouritz' 10mins will in some (distro?) cases violate
> ip_conntrack_tcp_timeout_established >= tcp_fin_timeout * 2 ?
No, not at all. I'm merely stating that I see no reason to have ip_conntrack_tcp_timeout_established any higher than tcp_fin_timeout safe for some small head room. Seeing as how the time was for 5 days, I see no reason to hold it open for twice the tcp_fin_timeout period for safe head room. Any thing beyond tcp_fin_timeout and your local TCP stack will have closed the connection any way. As soon as I type this I start wondering about systems behind a firewall. Hmm... Something to think about.
> Anyway, /usr/src/linux/Documentation/filesystems/proc.txt says
>
> tcp_fin_timeout
> ---------------
> The length of time in seconds it takes to receive a final FIN before the
> socket is always closed. This is strictly a violation of the TCP
> specification, but required to prevent denial-of-service attacks.
>
>
> I'm having trouble understanding the 'strictly a violation' part.
> Is it a (iana) crime to define tcp_fin_timeout?
I have not (recently) read (enough) of the TCP specification to know for sure what is in violation, but I would be willing to bet that a TCP ""conversation is to remain in the open state (Syn, Syn-Ack, Ack-Ack...) state until both sides close the connection gracefully or see a reset. Thus if we artificially close the connection we are violating the TCP specification by doing such. Seeing as how this is usually not a problem... This is sort of like what the TARPIT target is targeting. TARPIT will take a TCP connection to the established state and release all resources but not honor a close of the connection. This failure to close the connection causes the sending system to get stuck in the TARPIT (hens the name) until it is willing to forcefully close the connection from it's end via timeout.
Grant. . . .
next prev parent reply other threads:[~2005-05-02 16:05 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-02 13:32 TCP_CONNTRACK_ESTABLISHED 5days Mogens Valentin
2005-05-02 14:10 ` Mogens Valentin
2005-05-02 14:19 ` Moritz Gartenmeister
2005-05-02 14:31 ` Taylor, Grant
2005-05-02 15:53 ` Mogens Valentin
2005-05-02 16:05 ` Taylor, Grant [this message]
2005-05-03 8:23 ` Mohamed Eldesoky
2005-05-03 10:48 ` Mogens Valentin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42764FCA.9070405@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.