On Sunday 02 October 2005 00:08, ed wrote: > On Sat, 1 Oct 2005 12:27:56 -0600 (MDT) > > Diana Eichert <[EMAIL PROTECTED]> wrote: > > So Dweeb, what you recommend is upping the state table so we can > > increase the amount of crap that's leaking out from the Windows > > system? Brilliant, next time there's a Windows worm polluting the > > network I'll just think "Wow, it's not a Windows problem, I just need > > to buy hardware that can handle greater traffic." > > Then by this token we should all set a state limit of 1 state per host, > correct, if there's something using more states it must be compromised. > Nice theory. Why not just block the single host causing the problem, > when you have a high state limit, try shell commands to count the states > used every few minutes and then add the excessive hosts to a table, > rather than choke the network. Oh and don't resort to name calling, it > makes the rest of the post look childish, even if there is content of > technical merit.
Well, if you bothered to read and understand Diana's posts, you'd realise that the firewall had enough states for normal operation of the network. When a faulty host was added, it overloaded the firewall. Now, which is a better response? Leave the faulty host running (a Windows domain controller shouldn't be sending stuff through the firewall in the first place, and shouldn't be sending lots of fragments), and open up the firewall to hide the fault? Or, diagnose the fault, realise that the firewall failing is a symptom of a bad host behind the firewall, and fix the bad host? I'd do what Diana did; diagnose the fault, discover a faulty host, and get it fixed, rather than cover over the fault by changing the firewall configuration. Or are you suggesting that (e.g.) if one of your non-mail sending hosts overloads the firewall with connections to port 25 on lots of different MXs, the solution is to have the firewall allow more outgoing connections, not to work out why that host has suddenly started sending mail? -- Simon Farnsworth [demime 1.01d removed an attachment of type application/pgp-signature]
