Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side

From:	Gwyn Evans <gwyn dot evans at gmail dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] How to limit max. number of NAT translation (sessions) on m0n0wall to single IP on LAN side
Date:	Wed, 10 Nov 2004 17:26:30 +0000

[Hmm, sent direct rather than list last time...]

> If I were able to limit the number to let's say 100 per ip, then I
> would make life esier for my firewall

Arguable

>  and for the outside world of internet as well.

Doesn't follow - Outside world doesn't want better access for
virus/trojaned systems.

>   If something terrible happend that would cause a
> huge number of connections originating from the machine, the user will
> spot it and eventually complain to his/her administrator. The
> administrator will ultimately resolve the issue.

 Hmm -  "eventually"... "ultimately".  Meanwhile the rogue system is
still active - for the outside world, it might be better if you were
off-the-air 'till fixed!

> This would lead to the valid feature request to limit the number of
> connections per ip.

 Well, it's a valid request, but you might want to also address the
aspect of diagnostics in terms of better access/alerts if systems are
using more than a configured number of connections/ip.

/Gwyn
(Not a m0n0wall developer)