stateful firewall implementation in FreeBSD

Kevin Oberman kob6558 at gmail.com
Fri Jan 27 02:41:56 UTC 2012 

On Thu, Jan 26, 2012 at 11:41 AM, Chuck Swiger <cswiger at mac.com> wrote:
> Hi--
>
> On Jan 26, 2012, at 9:24 AM, satish amara wrote:
>> I have question regarding the size of the state table kept in FreeBSD for
>> stateful packet inspection. Say we have a valid senario where we have
>> stateful firewall rule for HTTP and we get lot of incoming new HTTP session
>> and state table is filled full. In that case I guess FreeBSD would reject
>> new sessions.  Just want to know what is the latest on this. How does
>> FreeBSD would handle if the state table is full and we get valid new HTTP
>> connection. What are options in terms of configuration or new feature in
>> BSD would address this issue.
>
> A securely designed firewall will drop connections when the state table is full.
>
> You can increase the size of the state table by following the IPF FAQ:
>
>  http://www.phildev.net/ipf/IPFques.html#ques25
>
> ...but in point of fact, keeping state for high-volume traffic is generally
> a losing game, and you are better off (IMHO) setting up stateless bidirectional
> rules which permit such high volume traffic.
>
> HTTP isn't generally too much of a problem, though-- something like a popular
> stratum-1 or 2 public NTP timeserver will easily blow out a stateful firewall
> if you try to keep state for NTP's UDP traffic.

To put it very clearly, a stateful firewall "protecting" a server is
an open invitation to DOS. It is trivial to generate enough UDP
traffic to overflow any limit on connections in a stateful firewall.
Various tricks have been tried but the reality is that none has really
succeeded. Some do help, but nowhere near enough to solve the problem.

Stateful firewalls are for clients and systems that  don't provide
publicly accessible services. Servers require stateless filters along
with IDS/IPS for effective protection.

And I do expect to get people saying that you HAVE to have a stateful
firewall is a basic requirement for a device on the Internet. I can
only say htat I know of many well known servers that do not have them
and few that do. There is a reason for that. At my old employer we
were under government security oversight and I can remember the
auditors back a few years ago who had a fit when told that no firewall
was employed, just an IDS/IPS with RTBH. The problem is that their red
team of attackers never could successfully attack which really annoyed
them to the point that they tryed toi order  that the IDS be disabled
for their attack attempts. (We refused, siting terms of the testing
agreement.)

Today, auditors still are a bit surprised that they don't use a
firewall, but are no longer upset by it as they are seeing it more
often.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com

More information about the freebsd-net mailing list