|
Hi,
> Hello,
>
> On Wed, 21 Mar 2001, Hendrik Thiel wrote:
>
> > seconds. The question is now, what exactly does
secure_tcp=3 ?
> > "http://www.linuxvirtualserver.org/defense.html"; says only a little
> > about it. Didnt quite figured it out what its all about...
>
> Read again. It contains:
>
> The valid values
> are from 0 to 3, where 0 means that this strategy is always
disabled, 1 and 2 mean automatic modes
> (when there is no enough available memory, the strategy is
enabled and the variable is
> automatically set to 2, otherwise the strategy is disabled and the
variable is set to 1), and 3 means
> that that the strategy is always enabled.
the default is set to 0. This feature seems to make sense why not
set to 3 or any automatic values :)
>
>
>
> The secure_tcp mode does not listen to the client's TCP flags
> and by this way prevents long state timeouts caused from
external
> attackers. All strategies try to keep free memory in the director.
> This is the reason you want to reduce the timeouts. No?
yes and no. The reason was reducing the masq table entries,
because i ve been told
that this might be a bottleneck...might?!
I got a lot of masq entries (3 realserver, 5000 inactconn per
realserver) ...and i am afraid running into problems with this large
numbers of inactconn ... so i reduced the timewait variable to get
20 secs connections instead of 2 minutes...i have to set
"net.ipv4.vs.secure_tcp=3", because that seems the only method
to successfully lower the idle timeout settings.
did i have any alternatives ? or can the masq table handle that
much idle connections without getting in trouble ?
>
> > with this lower expire time, we get a far lower amount of
"inactconn"
> > and it seems to be everything allright...
>
> Yep, more free memory.
>
> > The interesting thing to know is, what are the Limits for the LVS
> > (with NAT)...The number of available sockets? 65535
>simultanous
> > connections? the memory ? the masq table?
>
> The free memory, unlimited, 128 bytes/connection. LVS does
> not use system sockets. The masq table is used only for
LVS/NAT FTP
> or for normal MASQ connections not part from LVS (by default
40960
> connections per protocol). LVS has its own connection table, no
> limits.
so the Masq Table is the weakness when using LVS/NAT ... ?
regards,
Hendrik Thiel
Falk eSolutions AG
Tel: 02841/9097355
Fax: 02841-9097331
|
