A couple notes: 1) I forgot to mention that during the 2nd test (frag limit set), I also had scrub with fragment crop. 2) Turning off scrub altogether does alleviate the kernel panics.
Nevertheless, should I recreate/report the normalization bugs? -J. On Thu, 2002-11-14 at 02:15, Jason Dixon wrote: > Hi all: > > If this is a silly question, so be it. ;-) > > Anyhoo, I'm stress-testing my new firewall in the lab, and I'm > performing some igmp DoS attacks against it. Running something like > igmpofdeath (5000 packets) brings the system to a grinding halt (scrub > on). > > (yes, I know DoS attacks are basically undefensible, but read on...) > > I tried setting a 5000 limit on the frags (scrub still on), and it was > able to handle 5000, but choked on 10000. I'm still relatively new to > the concepts of stress-testing firewalls, so I'm not sure whether this > kind of thing is something that needs to be reported as a "bug". > Normally I wouldn't think so, but seeing as how the memory pool is > supposedly being "capped", it makes me wonder. > > The panic errors are fairly obvious in that they point to various > "normalization" or "frag" issues. I'm going to turn off scrub entirely > to see if that helps, but I thought I'd ping (excuse the pun) you with > this anyway. > > One other item. The pf.conf manpage suggests that I should be able to > specify protocol options in the normalization rules, but pfctl is > spitting out syntax errors. Is this a future feature? > > Again, sorry if this is the stupidest question you've ever heard. > > -J. > > -- Jason Dixon RHCE
