On Wednesday 31 May 2006 19:03, Diego Linke wrote:
Alexey,
A network prefix length of 0 can be used as a wildcard. To
kill all states with the target ``host2'':
# pfctl -k 0.0.0.0/0 -k host2
so why don't you kill all states to dead pool member right after
Hi Alexey,
so I think you broke pfctl -k by explicitly specifying src.track. why do you
need src.track?
I have many customers who have applications that they do not share
session, and I need src.track to keep more time the same customer in the
same serving of what the time of expiration of
On Thursday 01 June 2006 14:15, Diego Linke wrote:
Hi Alexey,
so I think you broke pfctl -k by explicitly specifying src.track. why do
you need src.track?
I have many customers who have applications that they do not share
session, and I need src.track to keep more time the same customer
Alexey,
have you tried source-hash option instead of source tracking?
The option source-hash, would not function therefore goes to have
problem the same Source expirations.
--
Diego Linke
Public Key: http://www.gamk.com.br/gamk.asc
Alexey,
is here do not share session means originate each session from
different IP address?
Not! The problem is when I erase a server of mine load I balance and it
continues sending connection in this server.
--
Diego Linke
Public Key: http://www.gamk.com.br/gamk.asc
Alexey,
ok :)
assume you have 5 session from given client which originated from one
client's IP.
assume you specified sticky-address so all 5 session gets redirected to
one of lb.
correct?
it's ok!!
when this one of lb is dead, all sessions from given client are dead.
so why
Alexey,
$ sudo pfctl -sa | grep tcp.established
tcp.established 86400s
I work with firewalls with high traffic and have that to work with
parameters well more aggressive of timeouts.
--
Diego Linke
Public Key: http://www.gamk.com.br/gamk.asc
Alexey,
pf is VERY fast on stateful filtering (while searching states). memory
is the bottleneck (if number of states is high) but it is VERY easy to
deal nowadays: 2x512Mb of DDR RAM costs less than $100.
or maybe firewall's CPU is slow?... post dmesg if permitted...
-k kills states
Alexey,
A network prefix length of 0 can be used as a wildcard. To kill
all states with the target ``host2'':
# pfctl -k 0.0.0.0/0 -k host2
so why don't you kill all states to dead pool member right after removing
it from the lb table?
This
9 matches
Mail list logo
