Displaying 20 results from an estimated 24 matches for "tcp_syncookies".
2013 Aug 23
1
Setting Up LVS to Load Balance DNS
Greetings, all:
OS: CentOS 6.4 x86_64
Kernel: 2.6.32-358.14.1
I could use some assistance with setting up pulse to load balance my dns
servers. I've configured tcp and udp port 53 with the piranha gui, set up
arptable rules on the real servers and added the virtual ip to the bond0
interface on the real servers, but I'm still having no luck in getting
things going. A dig against the
2008 Jun 02
4
Syn Flood Attack to SMTP server
Hello everyone, is a pleasure to be here.
I have a problem with my server, it runs qmail SMTP and protect it with
shorewall. Since yesterday I get syn flood attacks on port 25, which means
that no longer meet. How can I stop this with shorewall?
my setup is as follows.
zones:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
dmz DMZ
2003 May 19
5
FreeBSD firewall block syn flood attack
Hello,
I current have a FreeBSD 4.8 bridge firewall that sits between 7 servers and
the internet. The servers are being attacked with syn floods and go down
multiple times a day.
The 7 servers belong to a client, who runs redhat.
I am trying to find a way to do some kind of syn flood protection inside the
firewall.
Any suggestions would be greatly appreciated.
--
Ryan James
ryan@mac2.net
2013 Aug 14
12
xen 4.3 - bridge with bonding under Debian Wheezy
...dge_ports bond0
bond-miimon 100
bond-lacp_rate 1
bond-downdelay 200
bond-updelay 200
address 0.0.0.0
netmask 0.0.0.0
***
***
/etc/sysctl.conf
#kernel.printk = 3 4 1 3
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
#net.ipv4.tcp_syncookies=1
net.ipv4.ip_forward=1
#net.ipv4.conf.br0.proxy_arp=1
#net.ipv4.conf.eth0.proxy_arp=1
#net.ipv4.conf.eth1.proxy_arp=1
#net.ipv6.conf.all.forwarding=1
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.all.accept_sour...
2013 Jun 04
3
Centos6.4 routing problem
...blic internet, e.g. 8.8.8.8
the only EM I'm seeing is when executing command :
[root at centoshofkwartier ~]# sysctl -p /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kerne...
2016 Aug 12
3
Linux TCP flaw
...s ~]# uname -r
2.6.32-042stab108.7
[root at vps ~]# sysctl -a | grep ack_limit
net.ipv4.tcp_challenge_ack_limit = 100
[root at vps ~]# vi /etc/sysctl.conf
> Append
> net.ipv4.tcp_challenge_ack_limit = 999999999
> to end of file
[root at vps ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
error: permission denied on key 'net.bridge.bridge-nf-call-ip6tables'
error: permission denied on key 'net.bridge.bridge-nf-call-iptables'
error: permission denied on key 'net.bridge.bridge-nf-call-arptables'
error: permission denied on key 'net.ipv4.tcp_challenge_ac...
2007 Jun 12
1
How to setup both Transpaent Proxy and firewall on the same Machine.
....
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -F -t mangle
#Enabling ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#enable syn cookies (prevent against the common 'syn flood attack')
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#do source validation by reversed path
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#Enable tracking mechanism
/sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED...
2004 Mar 01
0
logs strangers...
...it connect to
a switch which connect 4 access points (linksys), each
giving connection for every eth2 "C" class
Along a week I''ve changed my syslog.ctl like:
net.ipv4.ip_forward = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_ecn = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all...
2013 Sep 05
0
windows guest network kept down automatically when several windows guest running in one KVM host,
...rce_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Disable netfilter on bridges.
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum...
2015 Dec 24
0
systemd-sysctl not running on boot
...ame>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 0
kernel.panic = 20
kernel.sem = 250 65000 32 256
vm.swappiness = 10
net.ipv4.conf.all.log_martians = 1
kernel.dmesg_restrict = 1
vm.dirty_ratio = 15
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.disable_ipv6 = 1
kernel.kptr_restrict = 1
[root at web-devel-local-1 ~]# systemctl status systemd-sysctl
? systemd-sysctl.service - Apply Kernel Variables
Loaded: loaded (/usr/lib/systemd/system/systemd-sysctl.service; static;
vendor preset: disabled)
Active: active (e...
2015 Dec 24
2
systemd-sysctl not running on boot
also in /etc/sysctl.d/
On Thu, Dec 24, 2015 at 8:58 AM, Gordon Messmer <gordon.messmer at gmail.com>
wrote:
> On 12/23/2015 05:08 AM, Ofer Hasson wrote:
>
>> By running "systemctl status systemd-sysctl" I also receive the same
>> output, but a simple "cat /proc/sys/vm/swappiness" returns the default
>> value, and not the one set by my conf file.
2014 May 06
0
poor write performance or locking issues with ocfs2
...will write also). I guess the read-rate is about 80%.
- The filesystem was online extended 2 times after initial setup.
- sysctl.conf parameters are set (for the webserver):
--
net.ipv4.ip_nonlocal_bind=1
net.ipv4.tcp_fin_timeout=10
net.ipv4.ip_local_port_range=1024 65535
vm.swappiness=10
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
--
Now, the problem:
The cluster runs well, but some times a day the systemload grows up from ~0-1 to 40, 500, 2000! CPU is fine, no problems. RAM is free, no problems.
"ps -e -o pid,stat,comm,wchan=WIDE-WCHAN-COLUMN | grep D" sho...
2009 Feb 06
8
iptables: forwarding on internal device
Good Evening,
I am trying to forward packages on an internal device using iptables:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
but the packages are still blocked, e.g.:
Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0
SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0
2003 Apr 14
2
(OT) rfc1948 question
...found that
SYN-ACK generation was moved to tcp_syncache.c
I did not managed to find any rfc1948 related info in CVS log for this
file. Maybe I just missed it.
Then I just looked into my copy of tcp_syncache.c and found that:
;------------------Begin clipboard----------------------------
if (tcp_syncookies)
sc->sc_iss = syncookie_generate(sc);
else
sc->sc_iss = arc4random();
;--------------------End clipboard----------------------------
Is it the place where synack iss is generated? If yes, then why
net.inet.tcp.syncookies sysctl is turned on by default?...
2015 Apr 26
2
Route traffic through private IP for only certain hosts
...th0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
default via x.x.x.z dev eth0
</pre>
Here is a *sysctl -p*
<pre>
# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf...
2013 Jan 04
4
CentOS 6.3 as Firewall/Router
...ngs (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# 3.2 Non-Required p...
2001 Nov 06
0
Security Update: [CSSA-2001-38.0] Linux - syncookies firewall breaking problem
...ages previous to
linux-2.4.2-14S
OpenLinux Workstation 3.1 All packages previous to
linux-2.4.2-14D
3. Solution
Workaround
Disable syncookies by doing:
echo -n 0 > /proc/sys/net/ipv4/tcp_syncookies
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS
The corresponding source code pack...
2004 Jan 07
11
Random ping jumps
...et line isn''t loaded up, server load fine. QOS isn''t used, qdiscs default.
I don''t realize what the problem is and even how to debug it. Sysctl config:
net/ipv4/ip_forward = 1
net/ipv4/icmp_ignore_bogus_error_responses = 1
net/ipv4/icmp_echo_ignore_broadcasts = 1
net/ipv4/tcp_syncookies = 1
net/ipv4/tcp_timestamps = 0
net/ipv4/tcp_window_scaling = 0
net/ipv4/tcp_sack = 0
net/ipv4/tcp_fin_timeout = 30
net/ipv4/tcp_keepalive_time = 1800
net/ipv4/tcp_low_latency = 1
Thanks for any thoughts.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl...
2011 May 07
5
Samba 3.5.8 - windows XP workstations disapear from browselist
...aight (domain->ip) and reverse (address->ip).It is well tested. Also
i've made /etc/hosts and /etc/samba/lmhosts files. They contains same
ip=domain setup as named.
Next thing was an firewall on my server (smbd and nmbd runs on it) but i
found that it does not matter. Even turning off tcp_syncookies and
rp_filter. Without success.
I have found an article suggesting that windows xp firewall is to blame.
I dont think it is a true, because workstations runs diffrent types of
firewall. One of them use windows firewall but others use another
firewalling sollution. Both of theese disapear from...
2003 Feb 03
4
[Bug 40] system hangs, Availability problems, maybe conntrack bug, possible reason here.
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=40
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From laforge@netfilter.org 2003-02-03 16:49 -------
We haven't seen this