Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 39
  1. #11
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,235

    Default

    Possibly, it depends on the nature of the lockup. I've not seen any of my boxes lose WAN connectivity when the LAN reports failure. So VPN + SSH has been working for me.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  2. #12
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,367

    Default

    Mi recomendacion:
    Use firewall rules to only permit out from workstation to port 80 and 443.
    From servers to 53 and 25 too
    Use the protocol blocker to only permit valid traffic type according to their policies.
    Log all , and view the logs.

  3. #13
    Untangle Ninja
    Join Date
    Jul 2008
    Posts
    1,129

    Default

    Quote Originally Posted by sky-knight View Post
    And No, lannie, I just do the consulting work for two large networks. 1 is 6000 users, and the other 3000... but hey don't listen I'm clueless...
    Thats too bad, you seem to know what you are doing MOST of the time.

    The ones attack blocker rated at 609, were going to freetypinggame.com and doing work for class. The others were doing normal browsing with nothing out of the norm and were rated at 400+.

    I removed Attack blocker from the system and will see how it goes. It obviously is out of it's mind.

    Lannie

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,235

    Default

    I'd say there is a packet storm of sorts used for that software. The best solution would be to bypass traffic bound for the port in question. You'll get that packet load out of the rack entirely, and eliminate those sessions.

    The thing I've learned recently... The linux kernel doesn't have the 10k concurrent session limit. The UVM does. So if you get crap OUT of the UVM that doesn't need to be there, you can stabilize even the largest installation.

    The attack blocker is critical to the stable operation of untangle. It doesn't cause problems, it simply high lights them.

    Besides, you know as well as I do cheap educational software used by schools is some of the most poorly written trash on the planet. You can get the other extreme of course... college projects are either really really good, or really really bad.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by sky-knight View Post
    I'd say there is a packet storm of sorts used for that software. The best solution would be to bypass traffic bound for the port in question. You'll get that packet load out of the rack entirely, and eliminate those sessions.

    The thing I've learned recently... The linux kernel doesn't have the 10k concurrent session limit. The UVM does. So if you get crap OUT of the UVM that doesn't need to be there, you can stabilize even the largest installation.

    The attack blocker is critical to the stable operation of untangle. It doesn't cause problems, it simply high lights them.
    this is spot on and worth an extra read for those of you with large sites.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #16
    Untangle Ninja
    Join Date
    Jul 2008
    Posts
    1,129

    Default

    Quote Originally Posted by dmorris View Post
    this is spot on and worth an extra read for those of you with large sites.
    Explain to me how the system works better with attack blocker gone then? The users who cause the rating of 600 or higher are using http port 80. The game uses flash. They use little or no bandwidth of any kind.

    Blocking that blocks the entire use of our internet for the students. I'm just not understanding how attack blocker is rating normal web traffic so high.

    Lannie

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,235

    Default

    Attack Blocker is a session watch dog. Its primary function is to ensure all of your web traffic fits within the 10k concurrent session limit. Without it, you're essentially forcing the UVM to crash when it runs over 10k concurrent sessions. Which, incidentally is directly causing the instability you're blaming the 7.x series for.

    The attack blocker isn't optional, install it and use it.

    You have a world of web traffic going to a known web server. You use that server, trust that server, and abuse that server... why are you asking untangle to check and verify the server is safe 1,000,000 times a day? It's extra load on the unit you could be applying to other processes.

    All it takes is a bypass rule that bypasses traffic bound to a single IP, and the attack blocker no longer cares. You've also lightened the box's load, and made your life easier.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangle Ninja
    Join Date
    Jul 2008
    Posts
    1,129

    Default

    Quote Originally Posted by sky-knight View Post
    All it takes is a bypass rule that bypasses traffic bound to a single IP, and the attack blocker no longer cares. You've also lightened the box's load, and made your life easier.
    I would have to have about 50 bypass rules to cover all the sites that are used for normal http traffic that flag people with high ratings. It's easier to remove the attack blocker and have a stable system.

    Lannie

  9. #19
    Untangle Ninja
    Join Date
    Jul 2008
    Posts
    1,129

    Default

    What would be your best way of watching the attack blocker to see why it is rating users so high? Are there any tools I could use to capture or monitor?

    I assume I would have to monitor the Attack Blocker log all day and watch for trends. Would I need to capture the traffic from that host or just make a rule to log everything that ip does and review the logs to see any anomylies?

    The sites look legit and are used all teh time but maybe there is something underlying I am not seeing. Everyone pushes Attack Blocker and I'm seeing no benefit for it, so I want to prove myself wrong and learn it's ins and outs.

    Help!!

    Lannie

  10. #20
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    tcpdump (once you learn it) is hands down the best networking tool you can have IMO.

    Just ssh to untangle, and run:
    tcpdump -i eth1 -n "host 192.168.1.100" and you can see all host 192.168.1.100's traffic

    tcpdump -i eth0 -n -s 0 -w foo.log "host 192.168.1.100"
    will write all 192.168.1.100's packet to foo.log that you can open in wireshark for your viewing pleasure
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 2 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2