Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side

From:	Chris Buechler <cbuechler at gmail dot com>
To:	Hynek Cihlar <hynek dot cihlar at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
Date:	Wed, 10 Nov 2004 03:08:46 -0500

On Wed, 10 Nov 2004 00:03:03 +0100, Hynek Cihlar <hynek dot cihlar at gmail dot com> wrote:
> Yes, we've tried the new beta, but with the same problem.
> 
> But you are right, there is too many connections from the LAN side.
> When we allow only the basic web services rejecting connections with
> nonstandard destination ports, the problem wanishes, everything is
> fine.
> 
> However I don't think that this is the right solution to this. There
> must be a more systematic approach.

I'd agree with others that you have infected hosts on your LAN.  Go
back to denying everything but non-standard destination ports with
logging, including only TCP 25 (SMTP) from your mail server(s), syslog
to a remote system, and check your logs to see what it's blocking.

IIRC, you said your LAN has ~50 hosts.  Exhausting 30,000 state table
entries means each have an average of 600 state entries.  That's
pretty much impossible without having a ton of worm/virus infected
hosts.

-Chris