|
||||||||
From: "Soren Vanggaard Jensen" <svanggaard at hotmail dot com> > After 16 days of uptime (a new record) monowall went down. The device was > rebooted but went down again a couple of hours later. Well crap... > It seems that denying ICMP data does prolong the uptime of monowall, but > apparently it's not enough. Not a certainty. It could just be an unrelated coincidence. Until it is identified, we are just guessing. > My next steps are: > 1) Deny fragmented packages in general > 2) Move management to HTTPS > 3) Install an I-BOOT device (http://www.dataprobe.com/power/iboot.html) > 4) Find out if anyone returned from vacation and if so - find out which > hardware rejoined the setup. I really like #4 here. A crash on a Monday? However, 1 and 2 are not bad choices. Also, did you ever make additional boxes to identify the side it is coming from? For example a bridge on the WAN side, and a few bridges for different LAN segments. > I have a couple of questions for the list: > 1) Is there *ANY* way that mini_httpd can crash the entire box? > 2) If you have a device that locks up: Are you allowing management from > WAN > 3) If you have a device that locks up: Are you allowing any type of > fragmented data? > 4) Anyone getting closer to a solution? I think you are leading the pack here. The only locks I get are occasional CP locks, and I can still get into the box. Lee |