[ previous ] [ next ] [ threads ]
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] RE: Latest virus kills m0n0wall
 Date:  Sun, 12 Aug 2007 00:31:41 -0500
I can chime in, ports that are blocked will not fill up the state table. 
All it does it generate a ton of firewall log entries for the "denied" 
port. What I would do is go ahead and generate a "block all" rule that 
is disabled. That way if you find an IP in the connection log causing 
problems, you can just add it to the list and at least stop the problem 
temporary by enabling the rule. I've had to do this a few times due to 
virus laden machines. It will quiet them at least until you can get 
physical access to the machine causing the issue.

Another thing, may be a bit more complicated. If you have to allow a lot 
of traffic out, use the traffic shaper to setup pipes for certain port 
ranges. That way, say port 80 is allowed the full bandwidth available, 
but all other port above 1024 for example are limited to 128K Upload, 
etc. That way, those that play games or P2P share won't be able to hog 
all the bandwidth that the business people need to check e-mail, web 
surf, etc.

M0n0wall certainly gives you a lot of options to tinker with that could 


Mike wrote:
> Whether this will actually help in your case, I cannot say. I would 
> wonder if the m0n0 would eventually succumb to the constant battery of 
> the traffic being blocked. I haven't come up against this yet, so 
> someone more experienced with the underlying code might be able to 
> answer that.
> On a side note, would it be possible for you to post some form of log? 
> I would be curious to see what ports, and the destination addresses 
> that this virus is using. Usually, this will lead you to the culprit, 
> and may tell you to block a particular address(es). You have the 
> beginnings of an attack signature, so we could start from there. The 
> reason I ask is that I have yet to encounter such a creature, however 
> if it is attacking a number of your hotels, then it may be something 
> to prepare for. It seems strange that it would be striking your hotels 
> like this on such a large scale. If it's something we can identify, 
> maybe we can help as a collective.
> Mike
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch