--uAKRQypu60I7Lcqm
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.9906062007122.28854@dlang>
-----BEGIN PGP SIGNED MESSAGE-----
This happens to be in the FAQ (I had trouble with the same thing when I
first deployed the FWTK)
What is happening is that inetd has a throttle on it so that if a program
crashes it will not kill the system. This throttle is far to low for any
serious firewall. There are two options
1. up the throttle limit
in inetd add .number to the nowait field (the default is 60 so
nowait.600 ups it by 10x)
2. set the proxy to run as a daemon. This is far better for performance as
#1 will hill your machine from the overhead of parsing the config file.
David Lang
On Sun, 6 Jun 1999 scode@scode.ddns.org wrote:
> Date: Sun, 6 Jun 1999 19:58:15 +0200
> From: scode@scode.ddns.org
> To: linux-net@vger.rutgers.edu
> Subject: Inetd suddently stops accepting connections
>
> Hello,
>
> I have a problem with inetd. After installing the TIS FWTK on a fire wall,
> I had inetd launch http-gw in response to connections on port 80. This works
> fine - for a while. It always stops accepting connections after a few minutes.
> Other services keep going (I tried enabled the echo server for example, and
> after it stopped listening to 80 I could still connect to the echo server).
>
> Could it be some kind of built-in DOS attack protection or something? Or
> possibly a bug? Any ideas?
>
> Here's the relevant part of the output of "netstat -a -n" when it *doesn't*
> work.
>
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
> tcp 290 0 10.0.0.1:80 10.0.0.10:1690 CLOSE
> tcp 276 0 10.0.0.1:80 10.0.0.10:1576 CLOSE
>
> And here's when it *does* work:
>
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 10.0.0.1:80 10.0.0.10:1705 CLOSE
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
> tcp 290 0 10.0.0.1:80 10.0.0.10:1690 CLOSE
> tcp 276 0 10.0.0.1:80 10.0.0.10:1576 CLOSE
>
> The firewall's IP is 10.0.0.1 and the computers trying to access it are
> 10.0.0.x (in this case 10.0.0.10 has been the test client).
>
> I must confess to not remembering the details of the TCP connection states,
> but why do a bunch of them linger around in the CLOSE state? And it seems to
> be inetd is listening in both cases...
>
> Any help would be greatly appreciated.
>
> Thanks!
>
> --
> / Peter Schuller
>
> ---
> PGP userID: 0x5584BD98 or 'Peter Schuller <scode@scode.ddns.org>'
> E-Mail: scode@scode.ddns.org Web: http://hem.passagen.se/petersch
> Help create a free Java based operating system - www.jos.org.
>
>
>
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN1s4DD7msCGEppcbAQG2bAf/Vfxb4+mr7alR0h9vBr0DwquEzGDH/Cri
TTF154XoF+6zI1ypcR/Spt7Lv/vT+o+jh89OolG2dxv6aHUSR2lY5cyYgkmo9bMn
NOjMTt41yjmbBsJ7sAnGAt/oG/UoblTdqnl0uH/oTcfduCVrLwh9YAeXS8lSkQd3
jbRy+vShDXznVXBumGpinj/YuiAl/BxIuhj6Pu/EFd3S5Lbjia2H503Hp7U4QmEV
LWxABoxnQvmJ2zKeen370ub7vH3KWfDVWlNZbiipKR0NyaiPQ+vwDgW9PpC/aNhm
10VbAJoEXmzanUdzdCd9Xf3aGAX+gxRXOxRmHwD0XES+ilL7lrjVkg==
=/eCT
-----END PGP SIGNATURE-----
--uAKRQypu60I7Lcqm
Content-Type: APPLICATION/PGP-SIGNATURE; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.9906062007123.28854@dlang>
Content-Description:
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: q+sJxivGWhUV6VMxN+m1TW0L9vMU78VA
iQA/AwUBN1q2tsBfJ1FVhL2YEQIqOQCfczJksAl+6YkYQYjQAaDQiXlkunoAoL64
5q9tnjCn7VETX5zOLfr6iLzI
=1/8S
-----END PGP SIGNATURE-----
--uAKRQypu60I7Lcqm--
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu