[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
 Date:  Wed, 10 Nov 2004 07:20:58 -0500
On Wed, 10 Nov 2004 11:41:33 +0100, Krzysztof Syguda
<krzys at wroclaw dot dialog dot net dot pl> wrote:
> You all R right
> some p2p clients and worms can destroy all network traffic.
> There is a couple of methods to find "bad client", but in some cases it could
> be very difficult (for example if we have WLAN broadcast network [some
> access points] ) behind LAN Interface.

That makes it no more difficult than if it's all on an all Ethernet
LAN.  You still have the source IP, no matter your internal network
topology (unless you're doing something dumb and ugly like double

> By reducing max number of sessions to single IP or group of IPs we can safe
> WAN traffic and router utilization.
> So, the point is how to limit max number of sessions, NOT how to find  "bad"
> clients or how to enralge number of NAT translations on router.

Yeah except that's not possible with ipfilter (what m0n0wall uses), as
far as I've been able to find.  pf has a max-src-states option that
limits the number of states per source IP on a per rule basis, but I
couldn't find anything similar in ipfilter.

FWIW, I'm not aware of any commercial firewalls that have such an
option (though I'm sure at least one does somewhere, it's certainly
not a common feature).

Any time this happens, it's because of a problem like a worm, unless
you have a huge LAN.  Ignoring it is a bad idea.  While implementing a
measure to prevent this might keep your connection up for other users,
it's also allowing the almost certainly infected hosts to spew their
crap all over the internet (up until they reach the max state entries)
and not forcing you to address the problem.  I'd rather see it go down
under those circumstances.