[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] block vs. reject in LAN rules
 Date:  Sun, 3 Jun 2007 23:31:17 -0400
On 6/3/07, Chris Buechler <cbuechler at gmail dot com> wrote:
>
> That's a good point as well, though the types of worms that beat
> networks to death aren't really common anymore. I've only seen one
> actual infection in the last 2-3 years of something of that nature.

Sorry to follow up to my own post, one additional comment on that.
Depending on the worm, they may use a protocol you allow for at least
part of their operation, which will likely exhaust your state table
quickly. The one infection I've seen in the last 2-3 years is a
network I control, but don't control the machines or what gets plugged
in. Somebody plugged in an infected laptop and it started ping
scanning the Internet very quickly. I allow pings on that network
since it's useful for troubleshooting purposes. It quickly exhausted
m0n0wall's 30,000 state table and took down the connection completely.
That's going to be your most common problem with m0n0wall and worms,
it's easy to exhaust the state table and difficult to increase its
size.

-Chris