[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Version 1.22 freeze
 Date:  Mon, 17 Jul 2006 10:13:14 -0500
From: "Soren Vanggaard Jensen" <svanggaard at hotmail dot com>

> After 16 days of uptime (a new record) monowall went down. The device was 
> rebooted but went down again a couple of hours later.

Well crap...

> It seems that denying ICMP data does prolong the uptime of monowall, but 
> apparently it's not enough.

Not a certainty.  It could just be an unrelated coincidence.  Until it is 
identified, we are just guessing.

> My next steps are:
> 1) Deny fragmented packages in general
> 2) Move management to HTTPS
> 3) Install an I-BOOT device (http://www.dataprobe.com/power/iboot.html)
> 4) Find out if anyone returned from vacation and if so - find out which 
> hardware rejoined the setup.

I really like #4 here.  A crash on a Monday?  However, 1 and 2 are not bad 
choices.  Also, did you ever make additional boxes to identify the side it 
is coming from?  For example a bridge on the WAN side, and a few bridges for 
different LAN segments.

> I have a couple of questions for the list:
> 1) Is there *ANY* way that mini_httpd can crash the entire box?
> 2) If you have a device that locks up: Are you allowing management from 
> WAN
> 3) If you have a device that locks up: Are you allowing any type of 
> fragmented data?
> 4) Anyone getting closer to a solution?

I think you are leading the pack here.  The only locks I get are occasional 
CP locks, and I can still get into the box.

                                Lee