Re: arp table overflow due to windows worm
Christian Storch wrote:
On Sa, 16.10.2004, 13:39, Benjamin Goedeke wrote:
ethernet address, namely the one of the upstream router.) So it seems
arp resolution occurs even though the packets are being dropped. That's
why I thought the bridge before the firewall could be a good idea. But
I guess the net gets clogged even before it reaches the bridge.
Yes! That resolution is independend from chain FORWARD.
It look's into the routing table for the next hop of a packet
before using netfilter with FORWARD chain.
And then that could happen I wrote in my message some hours before!
Sorry, I think I forgot to change the to address to the list when I
replied to the message you are referring to. I think you were right.
There's an wrong routing entry:
220.127.116.11/16 0.0.0.0 UG 0 0 0 eth1
I will hook up one of the infected machines with that entry removed now
and see how it goes. It usually takes an hour or so before they start
firing away. But this looks very promising.
Thanks a bunch,