[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0wall and Nessus/Network/NMAP Scanning
 Date:  Fri, 20 May 2005 14:06:03 -0400
On 5/20/05, Mike Mentges <mmentges at gstisecurity dot com> wrote:
> I am curious to find out if anyone else has had issues when performing
> Nessus or Nmap scans from behind a m0n0wall if they have seen
> performance drop on their network and bring all traffic to a very slow
> halt.
> Today I was running Nessus scans through our m0n0wall in the office to
> remote hosts, suddenly we started having various network issues with
> regards to any network protocol. At work we use RoadRunner Business
> class Simple webpages like google took 10 seconds to refresh etc etc..
> It was horrible. The second I stopped the scans everything worked as
> normal. To eliminate messing with works firewall I decided to take my
> work home and attempt the same scan from home where I use m0n0wall as
> well. I found the same issues here. Has anyone else had similar issues.?
> To get around the network issues I was seeing I decided to reconfigure
> my Traffic Shaper to only give a certain amount of bandwidth to my
> Nessus machine. I placed rules putting traffic sourced from my machine
> to the networks I was scanning in to the upload/download #3 buckets
> giving them less bandwidth (I used the default traffic shaper wizard).
> This allowed me to use my standard RoadRunner Cable modem to both do
> scans as well as browse/e-mail/download with no issues.

I've never had problems specifically with m0n0wall when running Nessus
and similar tools, and I do a good deal of pen testing.  The only
problems I've had are when the upload gets capped, which of course is
going to make your download crawl.  The typical traffic shaper setup
doesn't work that well for that, in my experience.  Limiting the host
with traffic shaper is a good solution.  I had very serious problems
with this when I had 3.0/128 a couple years ago, now with 6.0/512 it's
still an issue but not nearly as much.

If you're using a 4501 or similarly slow machine and any of the betas
based on FreeBSD 5, you could pretty easily reach the max throughput
of the system because you're going to be pushing tons of packets and
it doesn't scale worth a crap on low end hardware.  If it's any
version based on FreeBSD 4 (anything but 1.2b5-7), then that won't be
an issue even with a small box unless you have 10+ Mb of internet