Chris Buechler wrote:
> Sorry to follow up to my own post, one additional comment on that.
> Depending on the worm, they may use a protocol you allow for at least
> part of their operation, which will likely exhaust your state table
> quickly. The one infection I've seen in the last 2-3 years is a
> network I control, but don't control the machines or what gets plugged
> in. Somebody plugged in an infected laptop and it started ping
> scanning the Internet very quickly. I allow pings on that network
> since it's useful for troubleshooting purposes. It quickly exhausted
> m0n0wall's 30,000 state table and took down the connection completely.
> That's going to be your most common problem with m0n0wall and worms,
> it's easy to exhaust the state table and difficult to increase its
At least this is easy to notice, very fast to fix, and make you look
like a hero to some, and a God to the one with a virus. :) I had this
happen last week, actually. It was fun to release my inner bofh.