git.proxmox.com Git - pve-firewall.git/commit

]> git.proxmox.com Git - pve-firewall.git/commit

author	Alexandre Derumier <aderumier@odiso.com>
	Mon, 14 Apr 2014 07:59:47 +0000 (09:59 +0200)
committer	Dietmar Maurer <dietmar@proxmox.com>
	Mon, 14 Apr 2014 09:32:52 +0000 (11:32 +0200)
commit	28c082a187a76def02b212cbc1b6c8b48159d58b
tree	9e1263ce2ad4ae1a932ec8aea2c14147c336c9de	tree
parent	0365eb68439db796282603ef5d27cab82a07f3cd	commit \| diff

add tunnable nf_conntrack_tcp_timeout_established value

default nf_conntrack_tcp_timeout_established value is 5 days.

This is really huge, in case of a ddos attack for example

from:
https://dev.openwrt.org/ticket/12976

minimum value should be

"7875 seconds (= tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl = 7200 + 9 * 75 by default) to give the endpoints sufficient time to send keep-alive probes"

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>

example/host.fw		diff \| blob \| blame \| history
src/PVE/Firewall.pm		diff \| blob \| blame \| history

Firewall test scripts

RSS Atom