[ previous ] [ next ] [ threads ]
 
 From:  "Krzysztof Syguda" <krzys at wroclaw dot dialog dot net dot pl>
 To:  Hynek Cihlar <hynek dot cihlar at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
 Date:  Wed, 10 Nov 2004 16:15:41 +0100
> > Any time this happens, it's because of a problem like a worm, unless
> > you have a huge LAN.  Ignoring it is a bad idea.  While implementing a
> > measure to prevent this might keep your connection up for other users,
> > it's also allowing the almost certainly infected hosts to spew their
> > crap all over the internet (up until they reach the max state entries)
> > and not forcing you to address the problem.  I'd rather see it go down
> > under those circumstances.
> 
> I would disagree with you. Now with increased NAT state table in the
> new m0m0 beta it will do much more harm then before, and this just
> because there is no option to limit the number of connections per ip.
> If I were able to limit the number to let's say 100 per ip, then I
> would make life esier for my firewall and for the outside world of
> internet as well. If something terrible happend that would cause a
> huge number of connections originating from the machine, the user will
> spot it and eventually complain to his/her administrator. The
> administrator will ultimately resolve the issue.
> 
> This would lead to the valid feature request to limit the number of
> connections per ip.
> 
> Hynek

I agree with you. There are some kind of programs like "flashget" which could 
kill fw by opening thousends sessions. Many users dont't care and in many 
case dont know what they do and set connections limits for "unlimit". 
If they work periodically, administrators have a lot of work to resolve problem. 
Router and network work unstable.
Team of Bill G. implement max session limit to 400 on win XP SP ;-) but there 
are some crack which can broke this limit. The only way to prewent Internet 
from "ugly" users is hard limit on first router. 
I know that there is no simple way to to this now but if somebody have some 
idea how to do this they should do this.

KS

Thought for the day:
    Communist (n): one who has given up all hope
    of becoming a Capitalist.