[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problems with net4501
 Date:  Wed, 13 Oct 2004 02:32:07 -0400
On Wed, 13 Oct 2004 19:08:58 +1300, C. Falconer
<cfalconer at avonside dot school dot nz> wrote:
> Then is this something that m0n0wall should address?
> 
> IE, the internal IP 192.168.12.34 is spewing crap and fills up over 99% of
> the state table on its own.  Maybe the firewall should drop that IP and
> somehow inform the admin?
> 

It is being addressed, to some extent.  The state table in the next
beta will be 30,000 rather than the current 4000 (IIRC, I think it's
4000 now).  Though the reason for upping it is not because worm
infected hosts fill the table, it's for connections that legitimately
need that many entries.

The problem with this is no matter how you do it, you're going to DoS
your firewall if using embedded devices.  That would have to run
something locally to watch the state table and make appropriate
changes as necessary to the firewall rules, which alone would take
some CPU time.  Then if you're dropping all that traffic, your machine
is still going to be getting hammered into the ground by that anyway.

Personally, I'd call this a *feature*.  :)  Screw up their internet
connection until they get their worm/virus/spam spreading zombies
taken care of.  :)  If every firewall did that, the internet would be
a better place.

-Chris