On Thu, 23 Feb 2006, Ryan McBride wrote: SNIP > In my opinion if you're talking about NATing 750 Windows boxes doing > regular Windows-type things, you're going to want to at least at crank > the limits on states and turn on adaptive timeouts; I wouldn't go any > further than that unless you run into actual problems, but you can also > think about using some of the other connection limiting features to > prevent trojaned systems from filling the state table and impacting > other users.
I "help" a friend out with the FW in front of their company webservers. I agree with Ryan's observation, one because I'm pretty sure he knows what he's doing, two because I have direct experience in attempting to protect Windows systems. On more than one occasion the owner of the business has called me up to say there's a problem with the FW, everytime they've said that it was related to one of their Windows systems getting tilted. > Things to think about (roughly in order of aggressiveness): > > - 'set limit states' > - adaptive timeouts > - 'set optimization' SNIP > -Ryan diana Past hissy-fits are not a predictor of future hissy-fits. Nick Holland(06 Dec 2005)