Mike, et al.
I added responses to the new questions and a copy of an alarm for review.
See below.
Because of the traffic source (shown in alarm) I had to xxx out certain
details. The alarm is not one from a crash, just a mirror image of the last
one I got moments before it crashed.
Danny
> Q: From you message, it appears that you are running IP Passthrough
> (no NAT) to the DMZ?
>
> A: No, actually using NAT with Alias, tunnels and RAF/OBF
> filter schemes.
In that case, assuming that A.B.C.D is your GNAT Box EXT Address,
A.B.C.E is the Alias that is tunneled to the Webserver, F.G.H.I
is the DMZ (PSN) address of the GNAT Box, and F.G.H.J is the
IP address of the webserver, then:
1. Which address is the destination address of the traffic?
2. Which Interface does the alarm message say that the traffic
is arriving on?
3. Is the source address for the traffic an address that
"belongs" on either your DMZ or PRO?
Response:
1. Destination address is the actual DMZ nic address
2. Interface is External
3. No, it's a true class c
> Q: Did the firewall stop crashing when you added the filter to block
> traffic directed at the firewall? If so, then you can just change
> your filter to a Block/nolog type (see the DEFAULT filter called
> "Block/nolog stale WWW access" if you don't know how to do that).
>
> A: So far the crashes have ceased. Only been 22 hours so far.
Your simplest solution may be the one I suggested: Change the filter
that you added to a Block/nolog type of filter and just leave it in
place.
Response:
I Will try that.
Here is a copy of a log email:
EMAIL NO: 10
DATE: Thu 2001-10-11 06:01:45
PRIORITY: 4
INTERFACE: EXT-DSL (xl0)
INTERFACE TYPE: External
ALARM TYPE: Block
IP PACKET: TCP [xxx.xxx.xxx.xxx/xxxx]-->[66.121.xxx.xx/80] l=0 f=0x2
[xxx.xxx.xxx.xxx-xxx-xxx.mib/xxxx]-->[adsl-.dsl.snfc21.pacbell.net/80]
Sorry for the xxx.xxx.xxx crap.
I have been asked by govt. (originating network) to avoid giving out details
on the source.
The source address is completely outside my range of IP.
> Q: When you said that version 3.1.3 did not seem susceptible to this
> form of crash, did you mean that you dropped back to 3.1.3 to check,
> or that when you were running 3.1.3 at a previous time it didn't do
> this? If the latter, then 3.1.3 might have done the same thing,
> but conditions (like all that Code Red and Nimda traffic) may have
> changed.
>
>
> A: Correct on the 3.1.3. When using it, only had a crash when laplink
> pointed at the DMZ nic. I wish I could eliminate that Laplink
> crap. Never
> went back to that version though.
I'm going to stick to my guns and say that this doesn't tell us
anything about whether the problem existed in 3.1.3, since you
don't know that you were getting the same type of traffic directed
at the GNAT Box while you were running 3.1.3, and unless you
upgraded very recently, the Nimda probably wasn't around much
while you were running 3.1.3.
Did the problem start immediately (i.e., was the time from the
upgrade to the first crash about the same amount of time that
the GNAT Box will run now without your filter)?
Response:
No, it took a few days. Now it's like clockwork. Even has a pattern over
weeks. The more the /80 traffic, the more it bombs.
Nothing struck me as a problem with your hardware platform --
maybe someone else has experience with a hardware platform that
matches yours more closely.
