[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arp table overflow due to windows worm

Christian Storch wrote:

On Sa, 16.10.2004, 13:39, Benjamin Goedeke wrote:
...


ethernet address, namely the one of the upstream router.) So it seems
arp resolution occurs even though the packets are being dropped. That's
why I thought the bridge before the firewall could be a good idea. But
I guess the net gets clogged even before it reaches the bridge.



Yes! That resolution is independend from chain FORWARD.
It look's into the routing table for the next hop of a packet
before using netfilter with FORWARD chain.
And then that could happen I wrote in my message some hours before!
Sorry, I think I forgot to change the to address to the list when I replied to the message you are referring to. I think you were right. There's an wrong routing entry: 

134.102.0.0/16  0.0.0.0 UG    0    0    0    eth1
I will hook up one of the infected machines with that entry removed now and see how it goes. It usually takes an hour or so before they start firing away. But this looks very promising. 

Thanks a bunch,
ben
Reply to: