[Firewall] Rolling 1.9.0-rc5 into astlinux

Philip A. Prindeville philipp_subx at redfish-solutions.com
Fri Jan 2 20:48:35 CET 2009


Couple of observations.  We have no:

net.ipv4.ip_conntrack_max

in 2.6.26.8 that I can tell:

# sysctl -a | grep conntrack
sysctl: error: permission denied on key 'net.ipv4.route.flush'
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_tcp_loose = 1
net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
net.ipv4.netfilter.ip_conntrack_max = 16384
net.ipv4.netfilter.ip_conntrack_count = 20
net.ipv4.netfilter.ip_conntrack_buckets = 4096
net.ipv4.netfilter.ip_conntrack_checksum = 1
net.ipv4.netfilter.ip_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_count = 19
net.netfilter.nf_conntrack_buckets = 4096
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_expect_max = 64
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.nf_conntrack_max = 16384
#


also, the busybox version of "sysctl" has no "-q" option, so I had to use:

sysctl()
{
  if [ "$1" = "-q" ]; then
    shift
  fi

  /sbin/sysctl "$@"
}


in "environment".

Actually, there are other issues:

Setup kernel settings:
Setting the max. amount of simultaneous connections to 8192
/sbin/sysctl net.nf_conntrack_max=8192
/sbin/sysctl net.ipv4.netfilter.ip_conntrack_max=8192
Setting default conntrack timeouts
/sbin/sysctl net.netfilter.nf_conntrack_udp_timeout=60
/sbin/sysctl net.ipv4.netfilter.ip_conntrack_udp_timeout=60
WARNING: ...conntrack_udp_timeout could NOT be set. This may be a problem!
/sbin/sysctl net.netfilter.nf_conntrack_udp_timeout_stream=180
/sbin/sysctl net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
WARNING: ...conntrack_udp_timeout_stream could NOT be set. This may be a problem!
/sbin/sysctl net.ipv4.conf.all.send_redirects=0
sysctl: error: 'net.ipv4.conf.all.send_redirects=0' is an unknown key
Enabling protection against source routed packets
/sbin/sysctl net.ipv4.conf.all.accept_source_route=0
sysctl: error: 'net.ipv4.conf.all.accept_source_route=0' is an unknown key
/sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl: error: 'net.ipv4.icmp_echo_ignore_broadcasts=1' is an unknown key
/sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl: error: 'net.ipv4.icmp_ignore_bogus_error_responses=1' is an unknown key
Enabling packet forwarding
/sbin/sysctl net.ipv4.ip_forward=1
sysctl: error: 'net.ipv4.ip_forward=1' is an unknown key
WARNING: net.ipv4.ip_forward could not be set! If you're using
          NAT or any other type of forwarding this may be a problem.
Enabling reduction of the DoS'ing ability
/sbin/sysctl net.ipv4.tcp_fin_timeout=30
sysctl: error: 'net.ipv4.tcp_fin_timeout=30' is an unknown key
/sbin/sysctl net.ipv4.tcp_keepalive_time=1800
sysctl: error: 'net.ipv4.tcp_keepalive_time=1800' is an unknown key
/sbin/sysctl net.ipv4.ip_local_port_range=32768 61000
sysctl: error: 'net.ipv4.ip_local_port_range=32768 61000' is an unknown key
Enabling anti-spoof with rp_filter
/sbin/sysctl net.ipv4.conf.all.rp_filter=1
sysctl: error: 'net.ipv4.conf.all.rp_filter=1' is an unknown key
/sbin/sysctl net.ipv4.icmp_echo_ignore_all=0
sysctl: error: 'net.ipv4.icmp_echo_ignore_all=0' is an unknown key
Enabling SYN-flood protection via SYN-cookies
/sbin/sysctl net.ipv4.tcp_syncookies=1
sysctl: error: 'net.ipv4.tcp_syncookies=1' is an unknown key
Enabling the logging of martians
/sbin/sysctl net.ipv4.conf.all.log_martians=1
sysctl: error: 'net.ipv4.conf.all.log_martians=1' is an unknown key
Disabling the acception of ICMP-redirect messages
/sbin/sysctl net.ipv4.conf.all.accept_redirects=0
sysctl: error: 'net.ipv4.conf.all.accept_redirects=0' is an unknown key
Setting default TTL=64
/sbin/sysctl net.ipv4.ip_default_ttl=64
sysctl: error: 'net.ipv4.ip_default_ttl=64' is an unknown key
Enabling ECN (Explicit Congestion Notification)
/sbin/sysctl net.ipv4.tcp_ecn=1
sysctl: error: 'net.ipv4.tcp_ecn=1' is an unknown key
/sbin/sysctl net.ipv4.ip_dynaddr=0
sysctl: error: 'net.ipv4.ip_dynaddr=0' is an unknown key
/sbin/sysctl net.ipv4.ip_no_pmtu_disc=0
sysctl: error: 'net.ipv4.ip_no_pmtu_disc=0' is an unknown key
Flushing route table
/sbin/sysctl net.ipv4.route.flush=1
sysctl: error: 'net.ipv4.route.flush=1' is an unknown key
Kernel setup done...


Hmmmm...

Ah, got it.  Under busy box, we require "-w" to modify the value...  so I added:

   args=
   case $1 in
   net.ipv4.ip_conntrack_max*) return ;;
   *=*) args='-w' ;;
   esac

   /sbin/sysctl $args "$@"

instead.





More information about the Firewall mailing list