Page 1 of 1

Attention v2.9.16 users!

Posted: Fri Mar 10, 2006 10:57 am
by uldis
If you are using v2.9.16 then please change
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 50ms
tcp-syn-received-timeout: 50ms
...
to
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
...

Posted: Fri Mar 10, 2006 2:01 pm
by spoiler
Nice, 2 hours trying to figure out why nearby servers worked and others not... and why icmp was working with all of them, thought it was a BGP issue...

Just as a note... if you downgrade, setting will keep unchanged!

Posted: Fri Mar 10, 2006 2:18 pm
by pekr
guys, isn't it better to simply release 2.9.17?! Remember - not all ppl do visit this forum ....

-pekr-

Posted: Fri Mar 10, 2006 5:27 pm
by uldis
guys, isn't it better to simply release 2.9.17?! Remember - not all ppl do visit this forum ....
Done

Re: Attention v2.9.16 users!

Posted: Fri Mar 10, 2006 6:23 pm
by changeip
If you are using v2.9.16 then please change
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 50ms
tcp-syn-received-timeout: 50ms
...
to
 /ip firewall connection tracking>print                               
enabled: yes
tcp-syn-sent-timeout: 5s
tcp-syn-received-timeout: 5s
...
5s? Was previous value something like 1-2m? I think 5s is still too short for many users on slow dialup, cellular, etc. I'm just throwing this out there, not saying 5s is wrong though...

Sam

Posted: Fri Mar 10, 2006 6:54 pm
by DirectWireless
We sell MT routers to corporate customers who manage them themselves (we provide consulting support ) and man I had a stack of phone messages this morning when I came in from frantic customers!

Posted: Thu Mar 16, 2006 8:42 pm
by samsoft08
[admin@MikroTik] ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 1m
tcp-syn-received-timeout: 1m

this is my MT setup .. should i change 1m to 5s ?? and why ??

Posted: Mon Mar 20, 2006 4:52 am
by Hammy
[admin@MikroTik] ip firewall connection tracking> print
enabled: yes
tcp-syn-sent-timeout: 1m
tcp-syn-received-timeout: 1m

this is my MT setup .. should i change 1m to 5s ?? and why ??
Same here... suggestions?

Posted: Mon Mar 20, 2006 10:52 am
by aviper
Tip: The topic is: Attention v2.9.16 users! ...

Posted: Mon Mar 20, 2006 10:57 am
by cmit
This value (roughly said) defines the time-span that it may take to completely open a TCP connection. This is started by a SYN packet, and if the SYN-ACK packet doesn't arrive during the time you can configure here, the "half-open" connection is dropped.

Then main reason to keep this short is that this is one way to run a denial-of-service attack: If your system is waiting 1 minute if some (every) half-open connection will finally become a fully-established connection, it has to keep a rather long table of connections. By just starting to open enough "half-open" TCP connections you can block a system so that it cannot accept legitimate new TCP connections anymore.

So having this value on a unnecesarry high value is kind of dangerous. And 1 minute is too high in my opinion. 5 seconds should be enough to establish a TCP connection - remember: that is not, that everything has to be over in 5 seconds - just that the connection has to be completely established in max. 5 seconds.

Best regards,
Christian Meis

Posted: Mon Mar 20, 2006 6:46 pm
by changeip
I've seen dialup users take longer than 5 sometimes ... 5-10s would be a good middle ground. 1m is definately too long : )

Posted: Tue Mar 21, 2006 11:01 am
by sten
30 seconds in my opinion.
it matters to the functions that limit number of connections.