If I had a dollar for every time some mouth breathing twit did
that here well, I could at least buy some very good bottles of wine.
Upgrade the firewall to use the state limits and the overload
table, then filter the overload table and rdr web connections from it
to a web page that says basically "you have a virus you fucktard. fix it
and it'll work again." put a cron job that flushes the overload table
every few hours - or if you're really clever make a button on the web
page they can poke to remove their machine from the table - if they do it
before they clean the machine they just go right back in.
-Bob
* Diana Eichert <[EMAIL PROTECTED]> [2005-10-01 09:31]:
> I helped a friend setup a firewall environment years ago in front of his
> web business, first it was on IPF(back when OpenBSD shipped w/IPF), then
> PF. Amazingly he's managed to keep his business up, running and growing
> through the dot-bomb period, but I digress.
>
> Once I configured PF on his network several years ago it's required very
> little interaction, then out of the blue yesterday he calls to say the
> firewall has failed and he had to bypass it! What I say? I'm pretty sure
> it hasn't failed. So I tell him I'll connect into the firewall system
> remotely via a gateway I have there for emergencies so I can see what's
> really going on.
>
> Once connected I ask him to put the firwall back inline, initially he's
> pretty skeptical about doing that, since everything is "working" just fine
> without the firewall it CAN'T be a problem with any of the other systems
> on his network. I convince him it's worth his while to let me
> troubleshoot some and he agrees. When he places it back inline I
> realize the state table is getting full within 1-20 seconds and most of
> the states getting created look like junk, LOTS of fragmented
> packets. What the &*%^? A quick view of the current rules usage shows
> the tcp packets originating from the inside are exhausting the state
> table. I have some strict host and port based rules incoming, but I'd
> setup global outgoing tcp,udp and icmp rules with keep state. I get him
> to disconnect one system at a time on the inside and voila, there's the
> culprit, a Windows domain controller. Once that system is disconnected
> everything goes back to normal. Turns out that morning they'd rebooted
> the system shortly before the "firewall failed", hmmm, geez now that
> would've been a piece of information I'd like to have had when I started
> my troubleshooting process.
>
> So now my buddy, realizing it was one of his Windows systems, becomes very
> contrite and apologizes for interupting me at the office.
>
> diana
>
--
Bob Beck Computing and Network Services
[EMAIL PROTECTED] University of Alberta
True Evil hides its real intentions in its street address.
