[pve-devel] pvefw: using ctmark to associacte connections to VMs
Alexandre DERUMIER
aderumier at odiso.com
Mon Mar 3 21:01:40 CET 2014
>>Seems syncookies are off by default?
Yesk, we should enable them !
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 3 Mars 2014 17:28:44
Objet: RE: pvefw: using ctmark to associacte connections to VMs
> > > I don't known if we can setup a really high value by default ?
> >
> > no idea, sorry.
> >
> > > Also, it's seem that another option must be tune,
> > >
> > > /etc/modprobe.conf:
> > >
> > > options ip_conntrack hashsize=32768
> > >
> > >
> > > I need to read a little more about it
> >
> > Does that mean that everybody can start a DOS attack by simply
> > open(faking) 64000 tcp connections?
>
> http://tools.ietf.org/html/rfc4987
>
> So what can we do to prevent that?
Seems syncookies are off by default?
# cat /proc/sys/net/ipv4/tcp_syncookies
0
More information about the pve-devel
mailing list