Le 27/04/2015 11:54, Lukas Grunwald a écrit : > Hi, > > On 27.04.2015 11:22, Thibaut Pouzet wrote: >> Hi, >> >> >> * Under a normal load, the firewall is following 10000 connections >> * When we launch OpenVAS, this goes up to 65535 and the firewall starts >> dropping packets >> * We increased the max value to 120000, launched a scan, and the table >> was once again full, firewall dropping packets. > > Disable the connection tracking feature, this table will fill up > automatically. > OpenVAS is doing port scans, depending on your infrastructure, you > firewalls > (dropping TCP-FIN) and your environment this will never work. > >> >> We usually limit the number of hosts scanned to 4, with 5 NVT per host, >> and the scanning machine has 4 CPU and 2G of RAM (Virtual machine). >> >> It seems that the value of the max conntrack has to be properly tuned on >> the firewall as it has an impact on RAM consumption, we are working on >> it. >> >> However, I would like to know how I can have controll of what the >> scanning machine is doing, and limit in OpenVAS this amount of >> connexions opened. If I cannot do this : >> * Either I put some rate-limiting on the firewall, and requests will be >> dropped, OpenVAS might miss some things. >> * Or I don't put rate-limiting, and when I scan, the firewall drops >> legitimate trafic. > > Disable the connection tracking feature in your Linux kernel and build > one without it. > >> >> Do somebody has anything that could help me on this topic ? >> >> Thank You >> > >
Hello Lukas, I'm not sure disabling conntrack on the firewall is a good solution to this problem... Or a good idea either. Surely this is a solution that works, but if I was willing to disable it, I would not have seeked help here in the first place. We managed today to tune nmap through a scan-config to be less aggressive, but this is only nmap, and another tool might still be too aggressive. I was looking for a more global configuration, something like the "low impact" scanning profile you can see in Qualys for instance. Cheers, Thibaut Pouzet. _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
