[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF story, happy ending.



On Sunday 02 October 2005 00:08, ed wrote:
> On Sat, 1 Oct 2005 12:27:56 -0600 (MDT)
>
> Diana Eichert <deichert_(_at_)_wrench_(_dot_)_com> wrote:
> > So Dweeb, what you recommend is upping the state table so we can
> > increase the amount of crap that's leaking out from the Windows
> > system?  Brilliant, next time there's a Windows worm polluting the
> > network I'll just think "Wow, it's not a Windows problem, I just need
> > to buy hardware that can handle greater traffic."
>
> Then by this token we should all set a state limit of 1 state per host,
> correct, if there's something using more states it must be compromised.
> Nice theory. Why not just block the single host causing the problem,
> when you have a high state limit, try shell commands to count the states
> used every few minutes and then add the excessive hosts to a table,
> rather than choke the network. Oh and don't resort to name calling, it
> makes the rest of the post look childish, even if there is content of
> technical merit.

Well, if you bothered to read and understand Diana's posts, you'd realise that
the firewall had enough states for normal operation of the network. When a
faulty host was added, it overloaded the firewall.

Now, which is a better response? Leave the faulty host running (a Windows
domain controller shouldn't be sending stuff through the firewall in the
first place, and shouldn't be sending lots of fragments), and open up the
firewall to hide the fault? Or, diagnose the fault, realise that the firewall
failing is a symptom of a bad host behind the firewall, and fix the bad host?

I'd do what Diana did; diagnose the fault, discover a faulty host, and get it
fixed, rather than cover over the fault by changing the firewall
configuration. Or are you suggesting that (e.g.) if one of your non-mail
sending hosts overloads the firewall with connections to port 25 on lots of
different MXs, the solution is to have the firewall allow more outgoing
connections, not to work out why that host has suddenly started sending mail?
--
Simon Farnsworth

[demime 1.01d removed an attachment of type application/pgp-signature]