[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Scrub and Kernel Panics
A couple notes:
1) I forgot to mention that during the 2nd test (frag limit set), I also
had scrub with fragment crop.
2) Turning off scrub altogether does alleviate the kernel panics.
Nevertheless, should I recreate/report the normalization bugs?
On Thu, 2002-11-14 at 02:15, Jason Dixon wrote:
> Hi all:
> If this is a silly question, so be it. ;-)
> Anyhoo, I'm stress-testing my new firewall in the lab, and I'm
> performing some igmp DoS attacks against it. Running something like
> igmpofdeath (5000 packets) brings the system to a grinding halt (scrub
> (yes, I know DoS attacks are basically undefensible, but read on...)
> I tried setting a 5000 limit on the frags (scrub still on), and it was
> able to handle 5000, but choked on 10000. I'm still relatively new to
> the concepts of stress-testing firewalls, so I'm not sure whether this
> kind of thing is something that needs to be reported as a "bug".
> Normally I wouldn't think so, but seeing as how the memory pool is
> supposedly being "capped", it makes me wonder.
> The panic errors are fairly obvious in that they point to various
> "normalization" or "frag" issues. I'm going to turn off scrub entirely
> to see if that helps, but I thought I'd ping (excuse the pun) you with
> this anyway.
> One other item. The pf.conf manpage suggests that I should be able to
> specify protocol options in the normalization rules, but pfctl is
> spitting out syntax errors. Is this a future feature?
> Again, sorry if this is the stupidest question you've ever heard.