[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Scrub and Kernel Panics



Hi all:
If this is a silly question, so be it.  ;-)
Anyhoo, I'm stress-testing my new firewall in the lab, and I'm
performing some igmp DoS attacks against it.  Running something like
igmpofdeath (5000 packets) brings the system to a grinding halt (scrub
on).
(yes, I know DoS attacks are basically undefensible, but read on...)
I tried setting a 5000 limit on the frags (scrub still on), and it was
able to handle 5000, but choked on 10000.  I'm still relatively new to
the concepts of stress-testing firewalls, so I'm not sure whether this
kind of thing is something that needs to be reported as a "bug". 
Normally I wouldn't think so, but seeing as how the memory pool is
supposedly being "capped", it makes me wonder.
The panic errors are fairly obvious in that they point to various
"normalization" or "frag" issues.  I'm going to turn off scrub entirely
to see if that helps, but I thought I'd ping (excuse the pun) you with
this anyway.
One other item.  The pf.conf manpage suggests that I should be able to
specify protocol options in the normalization rules, but pfctl is
spitting out syntax errors.  Is this a future feature?
Again, sorry if this is the stupidest question you've ever heard.
-J.