[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  "Monowall Support List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Latest virus kills m0n0wall
 Date:  Sat, 11 Aug 2007 14:12:25 -0400
On 8/11/07, David Burgess <apt dot get at gmail dot com> wrote:
>
> How about dropping your tcp idle timeout on the Advanced page?
>

That might help, but you'd probably really have to crank it down to
make a significant difference. To the point that it would break things
for users who aren't causing a problem.

One of the reasons the state table fills up so fast with worm activity
is that the machines attempt to communicate with a bunch of
non-existent and firewalled hosts, which leaves the state hanging
possibly until it times out (malware likely isn't going to close half
open connections on the firewall).

I'm not sure offhand how m0n0wall handles large numbers of half open
connections. If you can find a way to timeout half open connections
more aggressively, that may be a partial solution to improve the
situation.

-Chris