Max. limit reached -> box unusable

Denis Ducamp Denis.Ducamp@hsc.fr
Mon, 24 Jul 2000 16:43:30 +0200 

On Sun, Jul 23, 2000 at 07:53:57PM +1000, Mircea Damian wrote:
> On Sat, Jul 22, 2000 at 10:12:57PM +0200, Denis Ducamp wrote:
> > 
> > I'm running test4 since 14th of july and I have no problem (except active
> > ftp and possible syn flood). test4 and test5-pre2 doesn't differ much so I
> > think that someone synflooded you. You may look at the netfilter cvs
> > <http://cvs.samba.org/cvsweb/netfilter/?sortby=date#dirlist> for the patch
> > called patch-test4-pre3-synflood.
> 
> Ok. Thank you. That should explain my problem.
> 
> Though I believe that a 5 days timeout is quite big for a default value. It
> would be nice to have this configurable at least at config time(say an
> option).
> I just notice that my mail server has the same behaviour. I do not
> understand anyway why I have so many ESTABLISHED connection in
> /proc/net/ip_conntrack and netstat -tan does not show them.
...
>  Can someone enlight me a bit here?

iptable must be independant from the stack and the state of the filter must
not depend of the state of the stack. The filter must be something
over/under the stack. That should permit to protect a vulnerability in the
stack.

The difference between /proc/net/ip_conntrack and netstat comes from the
fact that the ip_conntrack and the tcp/ip stack are independant and that a
bug in 2.4.0-test* consider as established a connexion where only SYN and
SYN-ACK have been seen without the ACK that finishes the 3 way hand check.

I applied the patch called patch-test4-pre3-synflood (look at the cvs
<http://cvs.samba.org/cvsweb/netfilter/?sortby=date#dirlist>) and that
problem is gone away :-)))

Didn't tried yet to stress the "Rusty's poor-man's sequence track".

I applied the patch called patch-test5-pre3-local-ftp-fix too and passive
ftp works again behind masquerading :-))) (f*ck*ng MSIE 5... how do you say
him to *always* use the http proxy for http *and* ftp connexions ?).

Thanks to Rusty, James and Marc (ftp patch).

Denis.

PS. with the ftp patch, ip_fw_compat.c doesn't compile and ipchains and
ipfwadm modules aren't available :

gcc -D__KERNEL__ -I/usr/src/linux/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer -pipe   -march=i686 -fno-strict-aliasing -DMODULE -DMODVERSIONS -include /usr/src/linux/include/linux/modversions.h   -c -o ip_fw_compat.o ip_fw_compat.c
ip_fw_compat.c: In function onfirm_connection':
ip_fw_compat.c:74: `pskb' undeclared (first use in this function)
ip_fw_compat.c:74: (Each undeclared identifier is reported only once
ip_fw_compat.c:74: for each function it appears in.)
make[2]: [ip_fw_compat.o] Error 1 (ignored)
ld -m elf_i386 -r -o ipchains.o ipchains_core.o ip_fw_compat.o ip_fw_compat_redir.o ip_fw_compat_masq.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o ip_nat_core.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
ld: cannot open ip_fw_compat.o: No such file or directory
make[2]: [ipchains.o] Error 1 (ignored)
ld -m elf_i386 -r -o ipfwadm.o ipfwadm_core.o ip_fw_compat.o ip_fw_compat_redir.o ip_fw_compat_masq.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o ip_nat_core.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
ld: cannot open ip_fw_compat.o: No such file or directory
make[2]: [ipfwadm.o] Error 1 (ignored)

-- 
Denis.Ducamp@hsc.fr -- Hervé Schauer Consultants -- http://www.hsc.fr/