Stateful Packet Inspection: Table is full.

Discussion in 'LnS English Forum' started by 0strodamus, Aug 22, 2010.

Thread Status:
Not open for further replies.
  1. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    Your (first) post was more than six months after its predecessor. So, nothing to be worried about - just scary!

    Problem with LnS is that its future is an unknown property; the developer seems willing to accept our $ but ignore us before and there after.

    Such is life!
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Frederic had always been so very dedicated to his customers since before the very first official release, before February 2001 and lasted up to at least October 2009. As long as Look ‘n’ Stop continues to function as it should, and knowing if a real issue appears, Frederic still going to address, I’ll continue to be supporting Look ‘n’ Stop product.
     
  3. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    I'm using it and I am a supporter. I just don't like surprises.
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Stem,

    Your experiences may very well be directly related to the Look ‘n’ Stop TCP SPI table implementation design, apparently the limit isn’t following the usual design, the limit isn’t just for the ‘Connected’ entries, but also for everything else including 'Closed’ entries, .. hence the subsequent TCP packets blocking while you have something like 8 / 256 for the number of connections.

    I didn’t experience the sticky entries though.
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Phant0m,

    Thats strange. I will try to find some time to make further checks.


    - Stem
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Not sure if I was entirely clear in the previous post, but I mean that the limit includes all states and not just for ‘Connected’ / Established entries, ... so if you have the limit of 256, 8 table entries for ‘Connected’ / Established entries, the 248 others entries includes the other states even 'Closed’ to hit the limit.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    A connection does not remain in a closed state. Once a connection is closed, it is handed to the system for Time_Wait. If L`n`S was to retain a state_table entry for a closed connection, even then it would not fill that table to cause the problem I have seen, unless there was some delay in the closed connection entry being removed.


    - Stem
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    There are delays to control the reuse of the entries in the TCP SPI table, for instance ‘Closed’ its 20secs.
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That to me is a little excessive. Is there a way to change that (reg change?).

    By the way. What is the reg entry for "block all Internet during boot". I cannot find that now.


    - Stem
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    There is, I’ll round up the information and post it


    The block one I have handy
    ---
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw]
    "BlockAllBeforeInit"=dword:00000001
    ---
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    There are 6 configurable timers, here is the registry entries:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw]
    "TCPSPITimeoutReuseClosed"=dword:00004e20
    "TCPSPITimeoutReuseConnecting"=dword:00004e20
    "TCPSPITimeoutReuseClosing"=dword:0000ea60
    "TCPSPITimeoutReuseInactive"=dword:001b7740
    "TCPSPITimeoutNotConnected"=dword:000927c0
    "TCPSPITimeoutReuseReset"=dword:00003a98



    These values control the reuse of the entries in the TCP SPI table. When an entry is reused too early, it means some late packets belonging to this entry will be discarded by the TCP SPI (and will send a false alert to the application). On the other hand, if the entry is not reusable, it means the table could become full too quickly (and it could vause Full alerts). So there is a fine tuning to be found between both cases.

    Default timeout values for the listed timeouts below (in the same order);
    20s, 20s, 60s, 30min, 15s, 10min - when nothing is specified in the registry.

    TCPSPITimeoutReuseClosed => this is the timeout for connections detected as closed (even after it has been detected as closed, by the SPI sometimes there are additional packet like Reset, or whatever).

    TCPSPITimeoutReuseConnecting => this is the timeout for connecting connections. It means, the SYN sequence is not complete.

    TCPSPITimeoutReuseClosing => this is the timeout to detect incomplete closing connections.

    TCPSPITimeoutReuseInactive => this is the timeout for inactive connections. If is more a protection to purge the table in case the TCP SPI missed some packets, or if the opposite side suddenly disconnect witout sending packets and if the connection passive on the PC side.

    TCPSPITimeoutReuseReset => this is the timeout for the reuse of reset entries when connecting.

    TCPSPITimeoutNotConnected => this is the timeout for the reuse of very old entries first, whatever the status of the entry (except the ones that are connected), and is looked first in the order.
     
    Last edited: Jul 7, 2011
  12. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Many thanks for the info.


    That explains the delay in removing the SPI entries from my test with the Torrent client.


    - Stem
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    :D


    I've updated the previous post to include two additional TCPSPITimeout tweaks. :p
     
  14. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    thx for the info :thumb: this is what I've been looking for :D
    but I cant find the registry value, should I made one?
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Hi blasev,

    Yes, by default there is no entry, to enable this feature you simply create the value and set the data
     
  16. blasev

    blasev Registered Member

    Joined:
    Oct 25, 2010
    Posts:
    763
    nice find :D

    thanks for the explanation :thumb:
     
  17. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,096
    Location:
    QC
    Thank you very much for this info, I also didn't have this on hand, and I want to now make very use of this usefull new reg entry. :thumb:

    --
    edit: i'm not very proficient with editing a registry, so could someone please be kind anough to have acheck if I made it correctly?
     

    Attached Files:

    Last edited: Jul 11, 2011
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    I’m feeling like a fat Lns databank :rolleyes:
     
  19. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    LnS is a good product but its 'official' forum is increasingly poor and becoming full of self-importance. These conversations should be occurring by pm.

    What about (we) paying users? Do we simply 'feel like' your fat databank?
     
    Last edited: Jul 11, 2011
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    You made it correctly ruinebabine. :thumb:
     
  21. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    I find your persistent cheap shots pathetic... How are you forming that opinion about the official support forums being increasingly poor? People who posts here for help and information are getting it, and most seems satisfied with the aid. Also anything Look 'n’ Stop related can be posted on these forums, if you feel stuff being posted should be in PM, then take it up with the Moderators.
     
  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    Another thing..., no rule on here about needing to be 100% serious in every single post made, so ease up or simply stop posting negatively. And if you have a problem with me and my posts, you have the option to ignore, or report them, stop this negatively posting.
     
  23. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    https://www.wilderssecurity.com/showthread.php?t=275878. There is no official support in this forum.

    I am a paid customer and I use and like the product (on XP). However, I cannot use my HSDPA modem because LnS does not support it. The reply to my support request (e-mail) implied that LnS does not (and may never) support it (NDIS 6.2).
     
    Last edited: Jul 13, 2011
  24. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    For completeness, I sent a support request last week to ask if LnS will ever support NDIS 6.2. I have received a reply (e-mail support is still available, but not as quick as last year) which I can paraphrase as 'LnS will probably never support NDIS 6.2'.
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Do you not mean that your specific USB modem probably will never be supported?

    I have just setup L`n`S (Win7 X64) on a Realtek RTL8168B/8111B NDIS 6.2 and dont see any problems at the moment.


    - Stem
     
    Last edited: Jul 21, 2011
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.