[ previous ] [ next ] [ threads ]
 From:  Lee Sharp <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] block vs. reject in LAN rules
 Date:  Sun, 03 Jun 2007 23:01:53 -0500
Chris Buechler wrote:

> Sorry to follow up to my own post, one additional comment on that.
> Depending on the worm, they may use a protocol you allow for at least
> part of their operation, which will likely exhaust your state table
> quickly. The one infection I've seen in the last 2-3 years is a
> network I control, but don't control the machines or what gets plugged
> in. Somebody plugged in an infected laptop and it started ping
> scanning the Internet very quickly. I allow pings on that network
> since it's useful for troubleshooting purposes. It quickly exhausted
> m0n0wall's 30,000 state table and took down the connection completely.
> That's going to be your most common problem with m0n0wall and worms,
> it's easy to exhaust the state table and difficult to increase its
> size.

At least this is easy to notice, very fast to fix, and make you look 
like a hero to some, and a God to the one with a virus. :)  I had this 
happen last week, actually.  It was fun to release my inner bofh.