LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: modify the inActConn timeout Setting ...

To: Hendrik Thiel <thiel@xxxxxxxxxxxxx>
Subject: Re: modify the inActConn timeout Setting ...
Cc: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From: Julian Anastasov <ja@xxxxxx>
Date: Thu, 22 Mar 2001 01:26:00 +0000 (GMT)
        Hello,

On Wed, 21 Mar 2001, Hendrik Thiel wrote:

> seconds. The question is now, what exactly does secure_tcp=3 ?
> "http://www.linuxvirtualserver.org/defense.html"; says only a little
> about it. Didnt quite figured it out what its all about...

        Read again. It contains:

The valid values
are from 0 to 3, where 0 means that this strategy is always disabled, 1 and 2 
mean automatic modes
(when there is no enough available memory, the strategy is enabled and the 
variable is
automatically set to 2, otherwise the strategy is disabled and the variable is 
set to 1), and 3 means
that that the strategy is always enabled.



        The secure_tcp mode does not listen to the client's TCP flags
and by this way prevents long state timeouts caused from external
attackers. All strategies try to keep free memory in the director.
This is the reason you want to reduce the timeouts. No?

> with this lower expire time, we get a far lower amount of "inactconn"
> and it seems to be everything allright...

        Yep, more free memory.

> The interesting thing to know is, what are the Limits for the LVS
> (with NAT)...The number of available sockets? 65535 simultanous
> connections? the memory ? the masq table?

        The free memory, unlimited, 128 bytes/connection. LVS does
not use system sockets. The masq table is used only for LVS/NAT FTP
or for normal MASQ connections not part from LVS (by default 40960
connections per protocol). LVS has its own connection table, no
limits.


Regards

--
Julian Anastasov <ja@xxxxxx>



<Prev in Thread] Current Thread [Next in Thread>