[mailed and posted]
On Oct 12, 2004, at 11:08 PM, C. Falconer wrote:
> Then is this something that m0n0wall should address?
> IE, the internal IP 192.168.12.34 is spewing crap and fills up over
> 99% of
> the state table on its own. Maybe the firewall should drop that IP and
> somehow inform the admin?
Yes and no. This sort of thing is addressed by an Intrusion Detection
System (IDS). m0n0wall doesn't have an IDS built in, but it can work
with them. All of these work by having the m0n0wall log actions onto
some other machine, This is under
Diagnostics --> Logging --> Settings
Enable syslog'ing to remote syslog server.
And also see
The IDS will analyze those logs, and take various actions.
I recently asked about IDSs and my summary was posted in
Also check Chet Harvey's follow-up with an additional tool in
I do not know whether traffic shaping could have actively dealt with
(I'm new to m0n0wall and sophisticated firewalls and have a great deal
to learn). But certainly implementing the kinds of rules for out-bound
traffic discussed in my summary would have prevented the problem.
Jeffrey Goldberg http://www.goldmark.org/jeff/