[ previous ] [ next ] [ threads ]
 
 From:  Hynek Cihlar <hynek dot cihlar at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
 Date:  Wed, 10 Nov 2004 14:50:12 +0100
> Any time this happens, it's because of a problem like a worm, unless
> you have a huge LAN.  Ignoring it is a bad idea.  While implementing a
> measure to prevent this might keep your connection up for other users,
> it's also allowing the almost certainly infected hosts to spew their
> crap all over the internet (up until they reach the max state entries)
> and not forcing you to address the problem.  I'd rather see it go down
> under those circumstances.

I would disagree with you. Now with increased NAT state table in the
new m0m0 beta it will do much more harm then before, and this just
because there is no option to limit the number of connections per ip.
If I were able to limit the number to let's say 100 per ip, then I
would make life esier for my firewall and for the outside world of
internet as well. If something terrible happend that would cause a
huge number of connections originating from the machine, the user will
spot it and eventually complain to his/her administrator. The
administrator will ultimately resolve the issue.

This would lead to the valid feature request to limit the number of
connections per ip.

Hynek