Hi, We use OpenVAS for quite a long time now, and never paid attention to the impact it had on our firewalls. This week, we noticed on an iptables firewall the following log lines : nf_conntrack: table full, dropping packet.
We made some research on conntrack, and we saw that on this firewall the value of /proc/sys/net/nf_conntrack_max was 65536, a default value. We did some tests, monitoring the number of lines inside /proc/net/nf_conntrack, and made the following conclusions : * Under a normal load, the firewall is following 10000 connections * When we launch OpenVAS, this goes up to 65535 and the firewall starts dropping packets * We increased the max value to 120000, launched a scan, and the table was once again full, firewall dropping packets. We usually limit the number of hosts scanned to 4, with 5 NVT per host, and the scanning machine has 4 CPU and 2G of RAM (Virtual machine). It seems that the value of the max conntrack has to be properly tuned on the firewall as it has an impact on RAM consumption, we are working on it. However, I would like to know how I can have controll of what the scanning machine is doing, and limit in OpenVAS this amount of connexions opened. If I cannot do this : * Either I put some rate-limiting on the firewall, and requests will be dropped, OpenVAS might miss some things. * Or I don't put rate-limiting, and when I scan, the firewall drops legitimate trafic. Do somebody has anything that could help me on this topic ? Thank You -- Thibaut Pouzet Lyra Network Ingénieur Systèmes et Réseaux (+33) 5 31 22 40 08 www.lyra-network.com _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
