Stateful Packet Inspection: Table is full.

Discussion in 'LnS English Forum' started by 0strodamus, Aug 22, 2010.

Thread Status:
Not open for further replies.
  1. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,048
    Location:
    United Surveillance States
    I'm getting this error occasionally on certain webpages that have many links to other pages. Is this the correct registry key to adjust the SPI value?
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lnsfw]
    "MaxGenericSPIEntries"=dword:00000100
    
    If so, what are some safe values? I've tried adjusting this from the current value of 256 (Decimal) to 512 and 1024, but the log errors persist. Should I go higher? Are there any downsides to setting this value to a larger one? TIA!
     
  2. ktango

    ktango Registered Member

    Joined:
    Dec 7, 2006
    Posts:
    39
  3. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,048
    Location:
    United Surveillance States
    Thanks ktango! I'm not sure why I didn't find that thread when I searched before posting. I'm still getting the errors with the setting recommended in that post and am waiting on LnS support reply on how high you can safely take that value to. Thanks again!
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Maybe it's an attack.

    Filling the SPI table is a way to breach the firewall and gain entry into a system.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi 0strodamus,

    Simultaneous connections, customisable to 1024 maximum. Not sure, but I think anything above will be reverted back to 1024.

    An image attached showing details about the packet loggings would be much appreciated.
     
  6. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,048
    Location:
    United Surveillance States
    Hi Phant0m!
    I tried 512, 1024, and 2048, but none of the changed values made a difference so I put the setting back to 256. I noticed this on a couple sites that I found on reddit and aren't sites I normally visit so I'm not too concerned about finding a fix for this - just curiosity at this point. One of the sites that I was able to find again links to a ton of thumbnails pulled from imagevenue.com. I've attached a log screengrab.
    log.png
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    What type of Internet connection you using? Must be something fast? ;)
     
  8. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Not necessarily. I noticed the same thing when I close my browser with eg. 10-20 open tabs (and the browser support "remember last session" option & this option is enabled) and then I open it again. So as you can imagine there are plenty number of connections in short period of time and it is present in Log tab in LnS as "SPI: Table is full" :)
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Assuming he’s opening the browser which is loading up several pages, .. but I find that difficult to see, not without help from p2p or other applications on his computer creating lot of connections.

    MaxGenericSPIEntries isn’t even the right tweak he wants to use, he has to use MaxSPIEntries, and the ‘TCP Connection states’ window will have a new maximum number of connections (assuming he re-boots after applying the tweak).
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Not with Look 'n' Stop, the SPF table gets full, it blocks until there are free table entries available.

     
  11. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,048
    Location:
    United Surveillance States
    My ISP advertises my package as 15Mbps, but I doubt I ever see speeds that high.
    I'll give that a try. I completely missed that they were different tweaks. Thanks Phant0m!

    EDIT: Phant0m, you are the man! Setting MaxSPIEntries to 512 resolved all of the log entries. Thanks for pointing this out to me. I'll have to read more carefully from now on. :oops:
    Thanks again!
     
    Last edited: Aug 24, 2010
  12. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Awesome. :thumb:
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi,

    I have been checking some issues I have been seeing, one of the issues is with the "SPI:Table full".

    There appears to be some delay before connections that are finished /"time_wait" are being removed from L`n`S state table, it appears there is a priority to enter connection details than to remove them, which can lead to a full table without the actual current connections being more than the state_table entry level.
    A simple example is a connection to "gog.com"-> "Games Catalogue", which does have many connections but only 8 current. With L`n`S set at 256 SPI connections, entries are made for "SPI:Table full"

    I did run some tests with a "Torrent client" (I downloaded a 3GB film from "Vodo.net"). I kept close watch on the reported connections from the torrent client and verified that info with both "cports" and "TCPview"(I also watched for SYN_Sent"... No inbound connections where allowed). The current connections never went over 200 (stayed around approx 190). L`n`S was reporting 238 connections. Entries where being made in L`n`S for "SPI:Table full" during the download period. Once the download had completed, I closed the torrent client, checked "Cports" and "TCPview" which showed no current connections or time_wait. L`n`S showed 36 current connections and took over 30mins for the connections to be removed from the connections list.

    I know I can increase the state_table size (which I have already done), but that is only a workaround to an underlying problem.


    - Stem
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hi Stem,

    I’m trying to reproduce your experiences, the number of simultaneous connections is back to 128.

    Doing the simple example that you had giving, over and over and over again, I’m not able to come close to filling the table, and the Look ‘n’ Stop connections in the SPI table and what is showing elsewhere is identical and no current connection entries in the SPI table stays long.

    And the torrent use on a 550MB file revealing no problems, even after several minutes had passed.


    You using the latest release? What is shown for driver versions in Look 'n' Stop - Console?
     
  15. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    May I enquire which version of Windows and which, if any, rule set? Do they matter?

    What threat do your findings pose to the user of LnS?

    Your post reads like a negative!
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    The SPI table fills, anything making new TCP connections are blocked until room in the TCP SPI table starts clearing, just very annoying experience. ;)
     
    Last edited: Jul 4, 2011
  17. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Phant0m,

    Yes, latest version downloaded direct from L`n`S website yesterday (I wanted to check with a new install).

    I tried again connecting to Gog.com, made a refresh of the "games catalogue" page and log filled again.(I reset back to 256 SPI connections)

    01.png

    I will see if I can find a conflict anywhere on my setup (win XP pro)


    - Stem
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is my own ruleset (win XP pro), but it does not/should not matter.

    None.

    It is just a problem that can be worked around easily (increase SPI table to 1024). I am just trying to find what the problem is.

    - Stem
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If you are only seeing 8 / 256, no way should you be getting those Table is full messages...

    What browser are you using?
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Firefox 4.

    I have found the problem with connecting to Gog.com. It is due to my connections going through local_proxy. (Proxomitron) for HTTP. Not sure as to why it is causing the issue(removing proxy and no more table full). Even with local_host connections, it should not be filling L`n`S SPI table. Maybe a conflict?


    - Stem
     
  21. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Sounds possibly like Proxomitron is messing up, I’ve used similar product (Privoxy) and not had any anomalies like you experiencing.
     
  22. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    Thanks for the prompt reply.

    I am a semi-advanced user; my rules are heaps better than the advanced set. I don't Phantom.

    Problem is that out of the blue there is a apparently 'threatening' post to users (like me). The subsequent posts are almost as threatening to users (like me). LnS is 'not so good'.

    To be honest, reading threads, like this one, leaves me with the impression that any, third-party security application is inadequate.

    This is the 'official' LnS support site. Recent posts imply that support is non-existent and LnS may not be as good as we are led to believe.
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Problems can happen. For me with this, it was due to a filter in Proxomitron that was closing down port use. I have removed the filter and now back to normal. (I forget most of the time I even have Proxomitron running as HTTP filter, thats why I did not think of it before. I blame it on old age)
    Well L`n`S is more than adequate as a packet filter, which it is intended for. There is of course other considerations, such as adding an HIPS and/or AV to create a layered defense.

    Support would only be non-existent if no one got any support. I know Frederic has been absent for a while, but if you have a problem, you can always post to this forum and you should get an helpful reply from one of the members here.


    - Stem
     
  24. newline

    newline Registered Member

    Joined:
    Dec 3, 2010
    Posts:
    39
    Location:
    .au
    Again, thanks. I use LnS because it is a firewall and I like it. If I needed a HIPS, I would look elsewhere (HIPS and firewall are not the same).

    You just scared me.
     
  25. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi newline,

    The "SPI:Table full" is not a security problem. By default, when the "SPI" is enabled, there is a maximum of 256 current connections allowed. That in most cases is more than adequate. If more is needed, then you can add/change a registry entry which will increase the state table (current connections) up to 1024.

    Nothing to be scared about.


    - Stem
     
Thread Status:
Not open for further replies.