[ previous ] [ next ] [ threads ]
 
 From:  "Aaron Cherman" <aaronc at morad dot ab dot ca>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Version 1.22 freeze
 Date:  Mon, 17 Jul 2006 10:52:29 -0600
> After 16 days of uptime (a new record) monowall went down. The device was 
> rebooted but went down again a couple of hours later.

Figures.

> It seems that denying ICMP data does prolong the uptime of monowall, but 
> apparently it's not enough.
>
> My next steps are:
> 1) Deny fragmented packages in general
> 2) Move management to HTTPS

Mine is set for https access only - this is standard dor my setups.

> 3) Install an I-BOOT device (http://www.dataprobe.com/power/iboot.html)
> 4) Find out if anyone returned from vacation and if so - find out which 
> hardware rejoined the setup.
>
> I have a couple of questions for the list:
> 1) Is there *ANY* way that mini_httpd can crash the entire box?
> 2) If you have a device that locks up: Are you allowing management from 
> WAN

I do not allow management from the WAN - but I do from all other interfaces.

> 3) If you have a device that locks up: Are you allowing any type of 
> fragmented data?

In the Advanced tab I do have "Allow fragmentedt IPsec packets" checked.

> 4) Anyone getting closer to a solution?

I am at 6 days uptime (added an interface and had to reboot last week).  I 
am setting up a box to capture all packets on the WAN and LAN interfaces to 
reference that to the lockups (try anyway).  I hope to find time to get that 
gear in place this week.


Aaron