|Hi Dom, | |I know that you can increase the connections |managed by the kernel of FW-1, I will increase it to |50.000 ( some time ago CheckPoint said to me that it |was the limit... ), but I think the problem is not on that |feature. When I send packets , I send always the |same packet ( same source port, same dest port, |same source address, same dest address , same |sequence number, ... ) so , do you think FW-1 tracks |every packet received as a new connection, or it only |refresh it state table as there was only one |connection ? Wow, then that's a bug, as "duplicates" should be dropped. |Moreover, ippacket generates packets at a very high |rate, and I do not believe FW-1 ( and many other |firewalls ) is able to manage this flood of SYN |requests. Yep, some firewalls don't even do wire speed, and many can't cope when it's all small packets. |"RTFM" ---> Yes, I read it loooong time ago, ... have |you at least tried to apply the D.o.S. that I describe ? No need, on a Pix I've seen it hang because of a single Nimda'd box! When you limit the connection table size, down to a single host, then resource exhaustion just freezes comms for that host for a little while. I don't think you can do it for a CPK box, which is a design feature (fully-shared vs. allocated table space) - somewhere in between would be nice. Sorry for the comment, it's was a long day, and your points seemed (fairly) obvious. Of course, if duplicate packets are causing a problem, then that's a big bug. Dom
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 16:43:58 PST