01/03/2005
The internet is an orgy for binary data
I mean look a 1 is shaped like a phallus and an 0 has a hole in the middle what more do you want?!
nmap vs. netfilter
This is how you set up a TCP connection, such as the one from your browser to this website!
- You send me a packet called a SYN packet, it stands for "synchronise" and means "I want to connect, this is the sequence number I shall be using from here on"
- I send you back a SYNACK packet. This is a SYN packet telling you what sequence numbers I shall be using, that also acknowledges receipt of your SYN packet.
- Finally you send me an ACK to my SYN and we have established a connection.
The point is, the connection tracking code that is in Netfilter (that's the firewall/NAT code in Linux) uses the ACK packet, the third one in the list above, to note when a connection has been established. And that's all it does. As soon as an otherwise blank ACK packet goes through it it says "okay that's an established connection". It keeps this established connection in its list of tracked connections until it gets a matching FIN or RST.
Now we get to nmap. This is a portscanner, as I'm sure you're aware. Before it scans a target host it tries to ping it, else it might sit there for hours scanning a host that's down and not going to make any kind of response at all. To do this, in recent versions at least, by default it sends a blank ACK packet. TCP says if a host receives an ACK packet it doesn't expect it should respond with a RST, which nmap uses to determine a host's status.
But note that blank ACK packet is exactly what netfilter thinks is the packet that establishes a new connection! The upshot is, if you use nmap to sweep a bunch of hosts, all of the ones that are down create an entry in netfilter's tracked connections table (which you can view by typing cat /proc/net/ip_conntrack) So you can fill up this table pretty quickly.
Tracked connections have timeouts though. Depending on its state, a connection will be dropped if it doesn't see any traffic within a certain amount of time. An established connection by default has a timeout of five days. So these fake connections will hang around in the table for five whole days. It's a bit silly really, especially since they show up in the table as [UNREPLIED] and you'd think it would reduce the timeout for such packets. But I guess not?
Also there are various badly-written network applications such as Bittorrent (what a surprise, a badly-behaving peer-to-peer program) that can also fill up your table. You can't really empty the table on demand, except by unloading and reloading the kernel module, or rebooting the router. You can increase the table size* or reduce the timeout** which is what I did. I set it to six hours (21600 seconds, you set it in seconds) which hasn't caused me any trouble. It's not that I was ever approaching any upper bounds but all these spurious things hanging around grates on my brain.
*echo "$HUGE" > /proc/sys/net/ipv4/ip_conntrack_max
**echo "$SMALL" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
Imp y Celyn
Carrying on in the great "shitty map" traditions of The Real Wright Junior Senior High School I downloaded from /newstuff the other week the following atrocity. Named Impy, this is simply a copy of Doom Episode 1 with everything taken out, and replaced by hordes of imps. Not only does it break the rules of the archive about blatantly derivative reworks of id software's maps (so why it hasn't been taken out yet I don't know) but it even says it's an attempt to get "on the infamous list on doomworld". In other words, it's a joke and a bad one at that.
However I am a sucker for really bad maps so naturally I played it as much as I could. Remember it's a rehash of episode 1. It is episode 1, just with new monster placements. That's it. A few of the maps have moved your start position, and there are minor changes to mean you have to visit every area of each map and clear it of enemies in order to beat it. I love this kind of shit.
Maps 1, 2, 3 and 7 were done with relative ease. That is I finished them pretty much first time. Thousands of imps can be quite a threat though, especially if they attack you from all angles at once. Thus map 5 took a few attempts and map 4 took a few more. Map 9 I decided was beyond me. Almost the entire map wakes up immediately and there's just nowhere to run to.
That leaves maps 6 and 8, which is where it gets really annoying. Map 6 is quite easy - there are hordes, but they tend to get caught in bottlenecks so you just stand there and shoot, then close the door they can't open and run back to the start for more plasma cells - right up until the point where you try to press this button on the wall and OH SHIT it doesn't do anything. Map 8 does this too but thankfully nearer the start. I fixed both maps in Yadex and restarted them, finding map 6 to be as easy as I thought it'd be, but map 8 was completable but so stuffed with imps that it's impossible to get 100% kills with the ammunition you're given.
In summary, unlike The Real Wright Junior Senior High School this was a disappointment. Also I will save a rant about ZDoom, Doom Builder, and idiots making bad maps and not even realising it, for another time.