RE: iptables problem getting url's hosted inside

To: tsean <tperkins@wtama.net>
Cc: debian-firewall@lists.debian.org
Subject: RE: iptables problem getting url's hosted inside
From: Mike Mestnik <cheako911@yahoo.com>
Date: Fri, 21 May 2004 17:00:17 -0700 (PDT)
Message-id: <[🔎] 20040522000017.28976.qmail@web11903.mail.yahoo.com>
In-reply-to: <[🔎] 018901c43f8b$10330680$f001a8c0@dreamaker>

--- tsean <tperkins@wtama.net> wrote:
> > There are still the CPU and bandwith issues also responces will be
> routed
> > directly bypassing the Firewalls state tables.  If you use the SNAT
> you
> > are likely to run out of usable ports as each outgoing connection will
> use
> > a diffrent source port.
> 
> I typically use a modified MonMotha script and setup static source NATs
> for all servers.  I would be interested in learning more about the
> possibility of running out of usable ports.  Do you remember where you
> saw this situation documented?
> 
RFC.  The port field is 16 bits (65535), 1024 are considered local so a
BEST you have 64511 ports.  All remote(server) systems will force you to
have a uniq port for each connection to it.  When I said at best i meant
it, you probly only have 10000 in reality based on what the NAT software
will use.  I know the linux kernel is vary HARD about this, ipfilter may
not be.  It's policy not to reuse local ports for, even for another IP.

Here is my mind spilled out into text.
192.168.1.1:45545 -> 192.168.1.20:80
192.168.1.1:45546 -> 192.168.1.20:80
192.168.1.1:45547 -> 192.168.1.20:80
192.168.1.1:45548 -> 192.168.1.21:80
192.168.1.1:45549 -> 192.168.1.22:80
It dose wrap around but the more you do this the more likely it is you
will bit your a$$.

> I haven't seen any cpu, memory, harddisk(if installed), or bandwidth
> issues on my firewalls specifically.  How do you run load tests on your
> firewalls?  I have made my syslog server sooooo busy that I had to add a
> second nic to connect to it with ssh.
> 
I use udp via nc from /dev/urandom for testing packet drops.  tcp is good
for what your talking about, you can really see the collision light go on
even with FD.

What happens is every packet goes to 192.168.1.1 from 192.168.1.1 and back
at 1500/56 the size.  "size / 1500 * ( 1500 + 1500 + 56 + 56 )" all on the
same poor nic.

> Thanks for your time Mike.  I always enjoy reading your responses.
> 
> tsean
> 



	
		
__________________________________
Do you Yahoo!?
Yahoo! Domains ? Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer

Reply to:

References:
- RE: iptables problem getting url's hosted inside
  - From: "tsean" <tperkins@wtama.net>

Prev by Date: RE: iptables problem getting url's hosted inside
Next by Date: NAV a détecté un virus dans un document dont vous êtes l'auteur.
Previous by thread: RE: iptables problem getting url's hosted inside
Next by thread: Re: iptables problem getting url's hosted inside
Index(es):
- Date
- Thread