[ previous ] [ next ] [ threads ]
 
 From:  "Bryan Brayton" <bryan at sonicburst dot net>
 To:  "Bryan Brayton" <bryan at sonicburst dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0 stops accepting new connections
 Date:  Tue, 31 Aug 2004 18:53:22 -0400 
An update on the situation:
 
I set up a port mirror on the switch and sniffed the traffic to the m0n0 box.  I found about 10
hosts spewing (there is no better word) tcp syn packets all over the internet to random ips, but all
on destination port 445.   Apparently there are quite a few viruses that do this.  After turning off
the offending users, the m0n0 is stable and the connection is normal and perfectly usable.
 
So, with the shaping turned on, the total outbound bandwidth being used was only about 600 kbit or
so, leaving lots of free bandwidth.  However, it seems to me (and I am totally guessing) that the
total number of connections still managed to overwhelm the m0n0 (again, generic pc image, 1.8
Celeron 512MB RAM)
 
Curiously, before the virus-laden ports were shut down, the firewall showed several blocked packets
originating from the LAN and outgoing to the internet on TCP port 445.  I have NOT blocked that port
outgoing.  Is it blocked by the default rule perhaps?  I wish I had kept the logs, because now those
blocks aren't showing.
 
Assuming it is a too-many connections problem, is there anything that can be done to stop these
kinds of things from taking out a m0n0 box?  Would simply blocking that port incoming on the LAN
help, or would that not help a thing?  Even if it does help, it would only help for connections on
that port, which is a stop-gap solution at best.  When the next worm-du-jour shows up, it will be
the same problem all over again.
 
Thoughts?
Bryan

 
 
________________________________

From: Bryan Brayton [mailto:bryan at sonicburst dot net]
Sent: Tue 8/31/2004 10:47 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] m0n0 stops accepting new connections



Hi all, 

I have a problem with the m0n0 I'm using for my dorm network.  I 'm using the 1.1 generic pc image
on a 1.8 Ghz Celeron with 512MB memory.  I have traffic shaping enabled, with each user limited to
384/64.  The traffic shaping is working well, however, after an hour or so of use, the m0n0 stops
accepting new inbound/outbound connections.  M0n0 is still passing traffic (as evidenced by the
traffic graph), but it doesn't seem to allow new inbound or outbound connections.  Resetting the
states fixes this temporarily.  So assuming this is the problem:

Is there a way to tell how many connections m0n0 is currently processing? 

Is there a way to increase the number of connections m0n0 can handle? 

Is there a limit on the number of simultaneous m0n0 can handle on this hardware? 

Any help would be greatly appreciated. 

Thanks, 
Bryan