[ previous ] [ next ] [ threads ]
 
 From:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 To:  "C. Falconer" <cfalconer at avonside dot school dot nz>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problems with net4501
 Date:  Wed, 13 Oct 2004 10:45:41 -0700
[mailed and posted]

On Oct 12, 2004, at 11:08 PM, C. Falconer wrote:

> Then is this something that m0n0wall should address?
>
> IE, the internal IP 192.168.12.34 is spewing crap and fills up over  
> 99% of
> the state table on its own.  Maybe the firewall should drop that IP and
> somehow inform the admin?

Yes and no.  This sort of thing is addressed by an Intrusion Detection  
System (IDS).  m0n0wall doesn't have an IDS built in, but it can work  
with them.  All of these work by having the m0n0wall log actions onto  
some other machine,  This is under

  Diagnostics --> Logging --> Settings
   Enable syslog'ing to remote syslog server.

And also see

    http://m0n0.ch/wall/docbook/ref-logging.html

The IDS will analyze those logs, and take various actions.

I recently asked about IDSs and my summary was posted in

    
http://m0n0.ch/wall/list/? 
action=show_msg&actionargs[]=97&actionargs[]=70

Also check Chet Harvey's follow-up with an additional tool in

    
http://m0n0.ch/wall/list/? 
action=show_msg&actionargs[]=97&actionargs[]=77

I do not know whether traffic shaping could have actively dealt with  
this problem
(I'm new to m0n0wall and sophisticated firewalls and have a great deal  
to learn).  But certainly implementing the kinds of rules for out-bound  
traffic discussed in my summary would have prevented the problem.

-j


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/