On 2020-12-18, mabi <m...@protonmail.ch> wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Friday, December 18, 2020 10:48 AM, Stuart Henderson > <s...@spacehopper.org> wrote: > >> It's something like "what % of max allowed states is half-open tcp". >> Watch out as there are some bugs in this area, definitely thewith >> accounting of half-open connections can be wildly off sometimes >> (triggering adaptive syncookies when they shouldn't really be triggered) >> and I think also with the behaviour when they're active, I have had >> it trigger spuriously and then a bunch of connections failing when >> triggered, so monitor it carefully if you enable this. > > Thank you for your precisions. > > This means that if I want to start using syncookies when I have over 40'000 > half-open tcp states and stop using it when it is back down to 30'000 > halt-open tcp states I would use the following pf.conf parameter: > > set syncookies adaptive (start 4%, end 3%) > > Note that my max allowed states is set to 1'000'000. > > I guess this is better even if somehow imprecise than having syncookies set > to "always"... > > What is the best way to monitor the usage of adaptive syncookies? In the > output of "pfctl -si" I don't see any relevant metric for syncookies.
You'll see a rising count in pfctl -ss "synproxy" if they're active. And if it's anything like when I try it, you'll see some TCP connections failing when it is active too. Not everything fails. but e.g. if I have "set syncookies always" on a router, and run "ftp -o- http://www.facebook.com/"; from a machine behind it, it fails every time (it appears to connect immediately, but of course that's just syncookies - I never get a response after making a request over it until I disblae syncookies again). In that case where syncookies are active but things are failing I see PROXY and SYN_SENT states in pfctl -ss e.g. all tcp 157.240.221.35:80 <- 82.68.199.130:16476 PROXY:DST all tcp 82.68.199.130:16476 -> 157.240.221.35:80 SYN_SENT:CLOSED So I strongly recommend trying it with 'always' and see if things are broken for you. Otherwise if you set 'adaptive' you may get an unpleasant surprise sometime maybe much later when they do actually trigger.
