[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Scrub and Kernel Panics

A couple notes:
1) I forgot to mention that during the 2nd test (frag limit set), I also
had scrub with fragment crop.
2) Turning off scrub altogether does alleviate the kernel panics.
Nevertheless, should I recreate/report the normalization bugs?
On Thu, 2002-11-14 at 02:15, Jason Dixon wrote:
> Hi all:
> If this is a silly question, so be it.  ;-)
> Anyhoo, I'm stress-testing my new firewall in the lab, and I'm
> performing some igmp DoS attacks against it.  Running something like
> igmpofdeath (5000 packets) brings the system to a grinding halt (scrub
> on).
> (yes, I know DoS attacks are basically undefensible, but read on...)
> I tried setting a 5000 limit on the frags (scrub still on), and it was
> able to handle 5000, but choked on 10000.  I'm still relatively new to
> the concepts of stress-testing firewalls, so I'm not sure whether this
> kind of thing is something that needs to be reported as a "bug". 
> Normally I wouldn't think so, but seeing as how the memory pool is
> supposedly being "capped", it makes me wonder.
> The panic errors are fairly obvious in that they point to various
> "normalization" or "frag" issues.  I'm going to turn off scrub entirely
> to see if that helps, but I thought I'd ping (excuse the pun) you with
> this anyway.
> One other item.  The pf.conf manpage suggests that I should be able to
> specify protocol options in the normalization rules, but pfctl is
> spitting out syntax errors.  Is this a future feature?
> Again, sorry if this is the stupidest question you've ever heard.
> -J.
Jason Dixon