Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK
states
Kevin Oberman
kob6558 at gmail.com
Tue Apr 17 20:18:01 UTC 2012
On Tue, Apr 17, 2012 at 12:58 PM, Michael Sierchio <kudzu at tenebras.com> wrote:
> On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6558 at gmail.com> wrote:
>>
>>
>> But I do have to ask why you find statefull rules for outgoing TCP
>> connections desirable? Why not:
>> 00101 allow tcp from me to any established
>>
> It's useful and appropriate to have outbound connections be stateful. It's
> not a good idea to have inbound connections stateful, as it makes it easy to
> fill up the state table.
It is occasionally useful and appropriate to have outbound connections
be stateful. I agree that inbound ones are dangerous, but I have
managed to DOS myself on an outbound entry. (Yes, it was dumb and
involved some horribly written software that kept opening and closing
sockets instead of continuing to re-use them.)
There can also be no question that they are more complex and, in most
cases offer exactly zero advantage over 'established'. it is often
simply an automatic action that involves no thought of which is more
appropriate.
--
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com
More information about the freebsd-net
mailing list