[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <baadpuppy at gmail dot com>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problem with deployment (timeout related)...
 Date:  Sat, 2 Oct 2004 11:18:14 -0400
On Sat, 02 Oct 2004 01:39:54 -0700, Josh <josh at nemesis dot net> wrote:
> > Yes - I'm pretty sure you're hitting the maximum of ~4000 state table
> > entries. That's the default value for ipfilter, and can unfortunately
> > not be changed without recompiling the kernel.
> > Since m0n0wall wasn't initially meant for high volume setups like
> > yours, the state/NAT hash table sizes and maximums were just left at
> Just want to chime in -
> I know this wasn't m0n0's original purpose, but it's inclusion of
> VLAN support makes it _very_ attractive for the ISP managed
> firewall environment.  Not many commercial firewalls support
> an unlimited number of vlans - and they are pricey.
> The other thing m0n0 would need (if I'm understanding the
> rulesets right) is having an outbound firewall rule for
> 'WAN' instead of 'ANY'   (ie - to allow isolation between
> different OPT interfaces).  I would love to see this in the
> next beta as it would have other benefits as well.
> Fail-over/HA would be nice too ;)
> Thanks
> -josh
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

If you don't like the default NAT rule of "allow LAN to ANY" then just
go to the menu Firewall->NAT and select the Outbound tab and check
"Enable advanced outbound NAT".  This disables all the default rules. 
Then you can make all the rules exactly as you wish them to be.

hope this helps,