Recently, I experienced a bad PC flooding the network - basically, it brought it to a halt. I have three networks, one is the ISP and the other two are subnets. One of the PC just started spewing - from the TCPdump, all i got was "unknown protocol" and the mac address. After reading, i think the issue was related to BAD_TCP_PACKETS but i cannot find anything in shorewall related to blocking/filtering bad packets. Anyone have any idea on how to prevent a single internal device from bringing a network to a crawl. The Router is a gentoo install which does the firewall and routes traffic between two subnets, both usign d-link managed switches. Thanks Vernon ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Vernon A. Fort wrote:> Recently, I experienced a bad PC flooding the network - basically, it > brought it to a halt. I have three networks, one is the ISP and the > other two are subnets. One of the PC just started spewing - from the > TCPdump, all i got was "unknown protocol" and the mac address. > > After reading, i think the issue was related to BAD_TCP_PACKETS but i > cannot find anything in shorewall related to blocking/filtering bad > packets. Anyone have any idea on how to prevent a single internal > device from bringing a network to a crawl.There was once an ''unclean'' match in iptables which Shorewall (regrettably) supported. The entire idea was a mistake and the match has long since disappeared from Netfilter. So Shorewall has no features for blocking ''bad'' packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Mon, Jan 07, 2008 at 02:24:01PM -0600, Vernon A. Fort wrote:> Anyone have any idea on how to prevent a single internal > device from bringing a network to a crawl.That''s a QoS problem. The actual content of the traffic generated by the device is irrelevant. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Andrew Suffield wrote:> On Mon, Jan 07, 2008 at 02:24:01PM -0600, Vernon A. Fort wrote: > >> Anyone have any idea on how to prevent a single internal >> device from bringing a network to a crawl. >> > > That''s a QoS problem. The actual content of the traffic generated by > the device is irrelevant. >That was my initial thought, however, some people don''t agree. After re-thinking the issue, i agree with Tome Eastep - trying to prevent this by blocking bad packets is a really bad idea. I am not a core network guru and this is the first time i have used Linux as a router between two internal subnets. My confusion is this same PC/desktop has locked up several times but we were using two cisco 1620 routers on a leased T1 pipe - this event NEVER had any noticeable impact on the overall network. We simply moved/consolidated both building into one but we did not want to re-address the network. Having two network cards in a Linux server was way more cost effective than replacing the T1 wic cards with Ethernets wic''s. From a discussion with a really good network resource i have, most of the modern day routers/switch''s do NOT block the packets, they just throttle in order to keep the network functional. My initial thought was i missed something in the underlying kernel configuration but i am leaning towards and QoS setup so as to achieve the throttling aspect OR would this be a combination of both? Vernon ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
On Tue, Jan 08, 2008 at 12:03:00PM -0600, Vernon A. Fort wrote:> From a discussion with a really good network resource i have, most of > the modern day routers/switch''s do NOT block the packets, they just > throttle in order to keep the network functional. My initial thought > was i missed something in the underlying kernel configuration but i am > leaning towards and QoS setup so as to achieve the throttling aspect OR > would this be a combination of both?Worrying about the specific possibility of bogus traffic from a broken device is futile if you don''t also worry about the possibility of bogus traffic from broken software, which is more likely to look like a udp flood. If you''re going to deal with one, you pretty much need to deal with them all, and that means QoS. A simple SFQ would probably suffice. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace