|
--- Roberto Nibali <ratz@xxxxxxxxxxxx> wrote:
> Hi,
>
> > There are a bunch of timeouts which are not
> possible
> > to set by ipvsadm --set command.
> >
> > /proc/sys/net/ipv4/vs/timeout_close
> > /proc/sys/net/ipv4/vs/timeout_closewait
> > /proc/sys/net/ipv4/vs/timeout_established
> > /proc/sys/net/ipv4/vs/timeout_finwait
> > /proc/sys/net/ipv4/vs/timeout_icmp
> > /proc/sys/net/ipv4/vs/timeout_lastack
> > /proc/sys/net/ipv4/vs/timeout_listen
> > /proc/sys/net/ipv4/vs/timeout_synack
> > /proc/sys/net/ipv4/vs/timeout_synrecv
> > /proc/sys/net/ipv4/vs/timeout_synsent
> > /proc/sys/net/ipv4/vs/timeout_timewait
> > /proc/sys/net/ipv4/vs/timeout_udp
>
> Those were used as kind of a defense mechanism in
> the ancient days I
> come to believe and nowadays are to be replaced by
> the same parameters
> exported through the ip_conntrack module.
>
> Load ip_conntrack and walk the
> /proc/sys/net/ipv4/netfilter tree and
> wonders shall hit the earth ...
>
Thanks for the info. And do you think it will be used
along with secure_tcp defense strategy as
http://www.linux-vs.org/docs/defense.html described to
replace the timeouts mentioned.
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
|
