News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: m0n0wall in demanding enviroment
Pages: [1]
Topic: m0n0wall in demanding enviroment  (Read 1846 times)
« on: July 31, 2007, 10:49:38 »
jugi *
Posts: 7
Hello!
I would like to share my experiences using m0n0wal 1.3b2 wit voucher modification with 20 Mb/s up/down link and about 400 clients.

About 1-2 Ghz computer with 1024 Memory is enough.

-Test memory chips, as faulty memory can cause difficult and hard to debug problems
-Use only proper NIC gear, i tried realtek and broadcom. Result was random reboot under heavy load.
-Intel card are good also 3com.
-Increase tcp-timeout to 30 000 example, as keeping sessions reduces need to negotiate connections again and again.
-Block outcoming traffic to and from ports for known windows worm ports.
-Block email traffic to eliminate spam bots.
-Enable traffic shaping. shape http syn ack connections. This is how surfing is possible even under heavy load.
-Warning, current m0n0wall version msfroot directory 12 Mb is not enought, specially if you give lot of dhco leases, enable logging and enable dns forwared filesystem may become full. This should be increased in future versions.

 TCP/UDP      *      135      *      *      DCOM RPC (listen on port 135) MS03-026      
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    445    *    *    RPC Locator (port 445) MS03-001, MS04-011     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    137 - 139    *    *    NetBIOS (ports 137/138/139) MS03-049     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    5000    *    *    UPNP (port 5000) MS01-059     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    *    *    135    DCOM RPC (listen on port 135) MS03-026     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    *    *    445    RPC Locator (port 445) MS03-001, MS04-011     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    *    *    137 - 139    NetBIOS (ports 137/138/139) MS03-049     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    *    *    5000    UPNP (port 5000) MS01-059     
   [edit rule]
   [add a new rule based on this one]
   [click to toggle enabled/disabled status]    TCP/UDP    *    *    *    25 (SMTP)    Block email spam sending

Have fun with m0n0wall Smiley
« Reply #1 on: August 06, 2007, 04:33:35 »
cmb *****
Posts: 851
mostly good advice.

Quote from: jugi on July 31, 2007, 10:49:38
-Increase tcp-timeout to 30 000 example, as keeping sessions reduces need to negotiate connections again and again.

This is not the case at all. In fact this is likely to cause problems because it's going to leave connections that weren't properly closed hanging in the state table for a long time, and hence is likely to eventually exhaust your state table. TCP connections are never "re-negotiated", the only type of situation where this will avoid any issues is connections left idle. Like SSH without keepalives, if you don't touch the session within the timeout, the state will be dropped which disconnects the session. The proper solution is to enable keepalives so the connection stays active, though increasing the timeout will work around it. Most services don't leave connections open for long without sending anything, I can't think of any practical examples offhand.

 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines