Joe Lagreca wrote:
> I have a client that is running a m0n0wall. I have been watching
> their network activity via the traffic graph, and I see that their
> outbound traffic has been pegged all day. I would like to find out
> which machine is causing this and why. How can I go about figuring
> this out? Is there some SNMP monitoring utility I can run that will
> give me per user bandwidth information, etc? Thanks.
Welcome to the Storm Worm. I got quite good at this. (Thanks in no
small part to the list.
1) Go to Firewall states, and take a snapshot.
2) View Delta. You don't need to wait more than 10 seconds or so, as
Storm sends a lot of traffic.
3) Sort by IP. The offending IP will have a lot of traffic to many
hosts. Up to 300 a minute.
4) Go to the LAN section of the firewall rules and create a new rule
High that blocks all from that IP.
5) Watch the net performance get so much better. Wait for a ticked off
user to call. See if they recognize the system name from the DHCP
Leases section for that IP.
6) Have beer.
This is my LAN ruleset for a hotel that gets a lot. I just disable the
default rule to clean it up enough to work. DHCP is .100 - .200
X * 192.168.68.224/28 * * * Virus Block
X * 192.168.68.208/28 * * * Virus Block
^ * * * * * Default LAN -> any
^ LAN net * * 80 (HTTP) HTTP LAN -> any
^ LAN net * * 443 (HTTPS) HTTPS LAN -> any
^ LAN net * * 110 (POP3) POP3 LAN -> any
^ LAN net * * 25 (SMTP) SMTP LAN -> any
^ LAN net * * 21 (FTP) FTP LAN -> any
^ LAN net * * 143 (IMAP) IMAP LAN -> any