[ previous ] [ next ] [ threads ]
 From:  Roberto Greiner <mrgreiner at gmail dot com>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] High CPU -problem
 Date:  Wed, 12 May 2010 10:19:01 -0300

quite a lot of the following messages:
  Limiting open port RST response from x to 200 packets/sec

with x ranging from 200 to 300.

Now, as far as I understand, this could mean someone is portscanning my 
server, or something of the nature. I intend to put a sniffer on my 
network to sort out where those packets are coming from, but my server 
has an average traffic that floats between 5 and 30Mbps, so it would be 
essential to filter out exactly the correct packets. So, could someone 
appoint me what I should look for in the packets? SYN activated? RST 
activated? In what combination?



On 11/05/2010 11:43, Roberto Greiner wrote:
> On 11/05/2010 09:05, Xavier Beaudouin wrote:
>> Hi there,

>>> On 10/05/2010 18:40, Roberto Greiner wrote:
>>>> On 10/05/2010 18:30, Manuel Kasper wrote:
>>>>> On 10.05.2010, at 23:21, Roberto Greiner wrote:

>>>>>> throughput is in the range of 10Mbps in, 3-5Mbps out.
>>>>> OK... what kind of virtualization solution? If it's VMware, then 
>>>>> make sure that you're using the e1000 NIC emulation (should appear 
>>>>> as emX device in m0n0wall, rather than lncX). This can be achieved 
>>>>> by adding ethernetX.virtualDev = "e1000" to the .vmx file.
>>>>> I haven't tested any other virtualization solutions, but using 
>>>>> VMware + e1000 on that hardware, you should easily be able to push 
>>>>> well over 100 Mbps through your m0n0wall VM.

>>>> the server does present exactly to the virtual machine, but 
>>>> Monowall identifies it 're0' (probably realtek).

>> I don't use Xen Citrix Server, but on some Xen implementation you can 
>> have... e1000 as well...
>> Xavier
> No, I just got an answer on the Citrix mail list, and in full 
> virtualization the host will always be presented with a Realtek 
> interface. One way to change that would be trying open source Xen, and 
> that would require changes to the source code. Other way would be 

> but will investigate.

> really the problem. Is there any way to verify that?
> Tks,
> Roberto

                 Marcos Roberto Greiner

    Os otimistas acham que estamos no melhor dos mundos
     Os pessimistas tem medo de que isto seja verdade
                                   James Branch Cabell