httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Jones" <>
Subject Re: Invalid argument: setsockopt: (TCP_NODELAY)
Date Wed, 13 Oct 1999 12:46:10 GMT
> Solaris v2.6.
> The people around here were getting jumpy about little error messages,
> and saying pagan things like "is Apache really cut out to handle this
> site"

If the 'audience' is gonna have a bowl movement -
there is very little you can do to stop it.
They may be on a witch hunt.

The Apache docs don't really say it's *not* a problem.
How many log entries are you getting?  Have you messed
with the ndd /dev/tcp \? settings?

2.6 is funny...  Is your 2.6 fully patched?


Do a
     ndd /dev/ip ?  to verify correct sequences..
     ndd /dev/tcp ?  to verify correct sequences..

The command set (for the /etc/init.d/inetinit file) is:

# Disable ANY packet forwarding. Same as touching /etc/notrouter...
ndd -set /dev/ip ip_forwarding 0

# Disable directed broadcasts...
ndd -set /dev/ip ip_forward_directed_broadcasts 0

# Disable forwarding source-routed packets...
ndd -set /dev/ip ip_forward_src_routed 0

# Enable RFC 1948 support, which uses less predictable TCP sequence numbers;
# copy the encrypted password from /etc/shadow as the tcp_1948_phrase...
# (First line same as adding TCP_STRONG_ISS=2 into /etc/default/inetinit...)
ndd -set /dev/tcp tcp_strong_iss 2

#Not Used: ndd -set /dev/tcp tcp_1948_phrase <root passwd from /etc/shadow>

# Disable responding to broadcast pings, a prevalent DoS attack (SMURF.)
ndd -set /dev/ip ip_respond_to_echo_broadcast 0

# Defend against SYN flooding...
ndd -set /dev/tcp tcp_ip_abort_cinterval 10000

# Lengthens the backlog queue, helpful in SYN flooding protection...
echo "tcp_param_arr+14/W 0t10240" | adb -kw /dev/ksyms /dev/mem
ndd -set /dev/tcp tcp_conn_req_max_q 8192

# the _q0 is the incomplete socket...
ndd -set /dev/tcp tcp_conn_req_max_q0 8192

-Sneex-  :]

View raw message