From: "Soren Vanggaard Jensen" <svanggaard at hotmail dot com>
> After 16 days of uptime (a new record) monowall went down. The device was
> rebooted but went down again a couple of hours later.
> It seems that denying ICMP data does prolong the uptime of monowall, but
> apparently it's not enough.
Not a certainty. It could just be an unrelated coincidence. Until it is
identified, we are just guessing.
> My next steps are:
> 1) Deny fragmented packages in general
> 2) Move management to HTTPS
> 3) Install an I-BOOT device (http://www.dataprobe.com/power/iboot.html)
> 4) Find out if anyone returned from vacation and if so - find out which
> hardware rejoined the setup.
I really like #4 here. A crash on a Monday? However, 1 and 2 are not bad
choices. Also, did you ever make additional boxes to identify the side it
is coming from? For example a bridge on the WAN side, and a few bridges for
different LAN segments.
> I have a couple of questions for the list:
> 1) Is there *ANY* way that mini_httpd can crash the entire box?
> 2) If you have a device that locks up: Are you allowing management from
> 3) If you have a device that locks up: Are you allowing any type of
> fragmented data?
> 4) Anyone getting closer to a solution?
I think you are leading the pack here. The only locks I get are occasional
CP locks, and I can still get into the box.