[pve-devel] SYN FLOOD - PVE FIREWALL

Detlef Bracker bracker at 1awww.com
Thu Jun 4 02:18:15 CEST 2015


and I have see now in /proc/sys/net/ipv4 is on - it´s only commented in
/etc/sysctl.conf!

Ok, but why the SYN-FLOOD is gooing throu the PVE-Firewall?

smurf-filter is ON too!
nf_conntrack_max was on DEFAULT - now: 196608 (changed in GUI)
nf_conntrack_tcptimeout_established is: 18000 (long time ago changed in GUI)
PVE-Firewall work - I see iptables -L and ipset list is with standard
blocked IPs

I have read, but dont know is good for proxmox:

tcp_syn_retries now 5 - change to 3 is that better?
tcp_max_syn_backlock is 2048 - good ?!


Regards

Detlef

Am 04.06.2015 um 01:54 schrieb Detlef Bracker:
> Dear,
>
> is that a good Idea to prevent SYN FLOOD on Proxmox host with uncomment
>
> #net.ipv4.tcp_syncookies=1
>
> Or is their something other to prevent in the PVE-Firewall?
>
> We had in 2 days 2 SYN FLOOD to MySQL-Servers on many Containers with
> diferent destination
> IPs and comes only from one IP! The OVH DDoS Mitigation stop many of
> this traffic but not all!
> Only with blacklisting of the IP we have stop. But how we can stop this
> on other ways?
>
> Regards
>
> Detlef
>
>
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20150604/93c6a058/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20150604/93c6a058/attachment.sig>


More information about the pve-devel mailing list