> -----Original Message----- > From: Danny H. Cox [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 11, 2001 7:10 PM > To: 'Mike Burden'; Danny H. Cox > Cc: [EMAIL PROTECTED] > Subject: RE: More firewall crashes. > > [...] > > > Q: Did the firewall stop crashing when you added the filter to block > > traffic directed at the firewall? If so, then you can just change > > your filter to a Block/nolog type (see the DEFAULT filter called > > "Block/nolog stale WWW access" if you don't know how to do that). > > > > A: So far the crashes have ceased. Only been 22 hours so far. > > Your simplest solution may be the one I suggested: Change the filter > that you added to a Block/nolog type of filter and just leave it in > place. > > Response: > I Will try that.
You might also want to check out my message, "RE: Filter Question" dated 10/9/2001 (I sent it at 10:56am, I got my copy back from the server at 12:32pm) for more examples of filters that block/nolog traffic to cut down on false alarms. > Here is a copy of a log email: > > EMAIL NO: 10 > DATE: Thu 2001-10-11 06:01:45 > PRIORITY: 4 > INTERFACE: EXT-DSL (xl0) > INTERFACE TYPE: External > ALARM TYPE: Block > IP PACKET: TCP > [xxx.xxx.xxx.xxx/xxxx]-->[66.121.xxx.xx/80] l=0 f=0x2 > > [xxx.xxx.xxx.xxx-xxx-xxx.mib/xxxx]-->[adsl-.dsl.snfc21.pacbell.net/80] > > Sorry for the xxx.xxx.xxx crap. > I have been asked by govt. (originating network) to avoid > giving out details > on the source. > The source address is completely outside my range of IP. Is the Government agency responsible for the source network related to your company in any way? If not, then what right do they have to ask that? In any case, why aren't they doing something about their virus problem? If I'm getting this all correctly, you seem to be using routable IP addresses on your DMZ even though you said that you have NAT enabled. What's the reasoning behind that, since NAT would hide the DMZ addresses? > > Q: When you said that version 3.1.3 did not seem susceptible to this > > form of crash, did you mean that you dropped back to 3.1.3 to check, > > or that when you were running 3.1.3 at a previous time it didn't do > > this? If the latter, then 3.1.3 might have done the same thing, > > but conditions (like all that Code Red and Nimda traffic) may have > > changed. > > > > > > A: Correct on the 3.1.3. When using it, only had a crash > when laplink > > pointed at the DMZ nic. I wish I could eliminate that Laplink > > crap. Never > > went back to that version though. > > I'm going to stick to my guns and say that this doesn't tell us > anything about whether the problem existed in 3.1.3, since you > don't know that you were getting the same type of traffic directed > at the GNAT Box while you were running 3.1.3, and unless you > upgraded very recently, the Nimda probably wasn't around much > while you were running 3.1.3. > > Did the problem start immediately (i.e., was the time from the > upgrade to the first crash about the same amount of time that > the GNAT Box will run now without your filter)? > > Response: > No, it took a few days. Now it's like clockwork. Even has a > pattern over > weeks. The more the /80 traffic, the more it bombs. Sounds like the problem started happening as the traffic increased. Doesn't sound like you have enough data to imply that changing versions had anything to do with it at all. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED]
