Comments on: Sockstress mitigation on Linux using Shorewall http://www.ipsidixit.net/2009/09/16/sockstress-mitigation-on-linux-using-shorewall/ A far off place Tue, 13 Jul 2010 15:07:23 +0000 hourly 1 http://wordpress.org/?v=3.0 By: sgroarke http://www.ipsidixit.net/2009/09/16/sockstress-mitigation-on-linux-using-shorewall/comment-page-1/#comment-3884 sgroarke Fri, 18 Sep 2009 09:35:55 +0000 http://www.ipsidixit.net/?p=191#comment-3884 Thanks for the pointer, but I can't find much more!! I looked for an archive of the irc #shorewall but did not find one, so do not have further details. Feel free to point me at them - I want to give people accurate, good information. Reviewing what's suggested, it's not clear how the Red Hat suggestion "breaks things". Again, please set me right on that and I'll add the info here. For my part, I've added this change to two live systems. Both medium-busy, running a variety of services (not just web) and have seen no breakage. Note that I did originally say: <blockquote>Note that the exact values used in the rules are, as the Red Hat advisory points out, going to be site specific. However the values given are a pretty good starting (and for many of us, finishing) point.</blockquote> Anyway, if anyone can enlighten me, please do. I always listen to advice! Thanks for the pointer, but I can’t find much more!! I looked for an archive of the irc #shorewall but did not find one, so do not have further details. Feel free to point me at them – I want to give people accurate, good information.

Reviewing what’s suggested, it’s not clear how the Red Hat suggestion “breaks things”. Again, please set me right on that and I’ll add the info here.

For my part, I’ve added this change to two live systems. Both medium-busy, running a variety of services (not just web) and have seen no breakage.

Note that I did originally say:

Note that the exact values used in the rules are, as the Red Hat advisory points out, going to be site specific. However the values given are a pretty good starting (and for many of us, finishing) point.

Anyway, if anyone can enlighten me, please do. I always listen to advice!

]]> By: karmapolis http://www.ipsidixit.net/2009/09/16/sockstress-mitigation-on-linux-using-shorewall/comment-page-1/#comment-3881 karmapolis Thu, 17 Sep 2009 17:01:13 +0000 http://www.ipsidixit.net/?p=191#comment-3881 Checkout the #shorewall archives, we chatted about this today. bleve suggests using Limit: instead of this, because this example breaks things. Checkout the #shorewall archives, we chatted about this today. bleve suggests using Limit: instead of this, because this example breaks things.

]]>