-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 15 Jun 2005, Andy Smith wrote:
On Wed, Jun 15, 2005 at 12:07:52PM -0400, R. DuFresne wrote:
You have two choices: either disable TCP SACK support on all your
real/virtual machines behind your firewall, or upgrade the kernel on the
firewall.
Do you have any instructions or a pointer to documentation onhow to
temporarily disable SACK? If it was a /proc setting that would be
ideal; I don't really want to have to recompile kernels though.
why? you are certainly missing out on how to fix and patch a systems when
bugs in the kernel affect it, to the ability to add features that your
dist maintainer has not enabled by default, or to change params in the
kernel such as moving away or to kernel modules as opposed to stack
functionality mapping.
I'm sorry, I didn't phrase that very well. I'm perfectly happy to
compile new kernels and indeed I am required to run a patched 2.6.11
plus some other patches that I have to apply manually in order to
use Xen.
$ uname -a
Linux curacao.strugglers.net 2.6.11curacaoxen0-steven-hand1 #1 Sat Jun 4 18:49:26 UTC 2005 i686 GNU/Linux
I just didn't want to make a new kernel and reboot in order to test
the suggestion of disabling SACK as the downtime of a reboot on a
machine with multiple virtual machines is unpopular.
Oh, well, then that is a different situation <smile>, nevermind...
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCsFY/st+vzJSwZikRAmQoAJ9ZztFRW/7lDOvnX/cFIfJ0AttoFQCfeZ5S
DpMMHOGiMSpHBcFH3koU4Yg=
=eJeJ
-----END PGP SIGNATURE-----
