Hi All,
We have recently had a few outbound synfloods (from machines infected
by one of the numerous 'bots'). An unfortunate side effect of this is
that the state tables in pf eventually fill up and no legit new
connections are accepted.
I currently have "set optimization conservative" and I am guessing that
this is not helping.
I have also looked at the synpoxy state setting, but as I understand it
this protects end hosts from synfloods and will have no affect on the
state table usage.
I have lots of memory on the firewalls and one thing that has occurred
to me is that I could set the state table size much higher and have a
monitor that pages someone when it goes above some reasonable limit.
Another possibility is to tweak set timeout tcp.opening, what would be a
reasonable value? -- the default seems to be 15minutes.
Hmmmm... would be nice to have this setting depend on the number of
current states -- i.e. we time out non established sessions more
aggressively when the state table is nearly full. There does not seem to
be anyway of modifying the timeouts on the fly, i.e. with pfctl so I
can't do this from a script.
Any other suggestions? (Please tell me I've missed the obvious again ;)
I really need that book! (yes it is on order and amazon say they have
shipped it).
--
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
