|
||||||||
> > Any time this happens, it's because of a problem like a worm, unless > > you have a huge LAN. Ignoring it is a bad idea. While implementing a > > measure to prevent this might keep your connection up for other users, > > it's also allowing the almost certainly infected hosts to spew their > > crap all over the internet (up until they reach the max state entries) > > and not forcing you to address the problem. I'd rather see it go down > > under those circumstances. > > I would disagree with you. Now with increased NAT state table in the > new m0m0 beta it will do much more harm then before, and this just > because there is no option to limit the number of connections per ip. > If I were able to limit the number to let's say 100 per ip, then I > would make life esier for my firewall and for the outside world of > internet as well. If something terrible happend that would cause a > huge number of connections originating from the machine, the user will > spot it and eventually complain to his/her administrator. The > administrator will ultimately resolve the issue. > > This would lead to the valid feature request to limit the number of > connections per ip. > > Hynek I agree with you. There are some kind of programs like "flashget" which could kill fw by opening thousends sessions. Many users dont't care and in many case dont know what they do and set connections limits for "unlimit". If they work periodically, administrators have a lot of work to resolve problem. Router and network work unstable. Team of Bill G. implement max session limit to 400 on win XP SP ;-) but there are some crack which can broke this limit. The only way to prewent Internet from "ugly" users is hard limit on first router. I know that there is no simple way to to this now but if somebody have some idea how to do this they should do this. KS Thought for the day: Communist (n): one who has given up all hope of becoming a Capitalist. |