Re: Variable state entry timeouts?

At 21:01 Uhr -0700 31.08.2007, Darren Reed wrote:
>Hauke Fath wrote:
>> ...
>> [hf@Vertatscha] /home/hf # ipfstat -s
>> IP states added:
>> ...
>> 15701 maximum
>...
>
>I'm willing to bet that because you are hitting the roof with
>your state table entries, the ssh connections are being flushed
>out as part of the "idle cleanup".

Hm. Many people are still on holiday, so last week's network load
wasn't too high. Is there any way of increasing the size of the state
memory pool?

And is http://www.phildev.net/ipf/IPFprob.html#prob9 of any relevance here?

> If you use "-a" with ipmon
>to log all of the NAT and state table additions/removals,
>I'm going to guess that you'll see the ssh connection being
>flushed not long before the blocked packets.

I'll try that on Monday. Don't want to mess with the ipfilter setup
from home. ;)

> The change from
>.13 to .23 was to fix the flushing. Now perhaps it works *too* well...
>and maybe there's a need to specify _some_ connections as not
>automatically flushable....

Sounds like a good idea...

Thanks for looking at this,

hauke

--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-3281