On Wed, 10 Nov 2004 00:03:03 +0100, Hynek Cihlar <hynek dot cihlar at gmail dot com> wrote:
> Yes, we've tried the new beta, but with the same problem.
> But you are right, there is too many connections from the LAN side.
> When we allow only the basic web services rejecting connections with
> nonstandard destination ports, the problem wanishes, everything is
> However I don't think that this is the right solution to this. There
> must be a more systematic approach.
I'd agree with others that you have infected hosts on your LAN. Go
back to denying everything but non-standard destination ports with
logging, including only TCP 25 (SMTP) from your mail server(s), syslog
to a remote system, and check your logs to see what it's blocking.
IIRC, you said your LAN has ~50 hosts. Exhausting 30,000 state table
entries means each have an average of 600 state entries. That's
pretty much impossible without having a ton of worm/virus infected