program/binary ip filtering
Randy Schultz
schulra at earlham.edu
Thu Apr 19 16:52:16 UTC 2007
Hey Bill,
Tnx much for the input. I'm the new lead sys admin here. Been away from
freebsd for far too long. It's good to be back. ;>
On Wed, 18 Apr 2007, Bill Moran spaketh thusly:
-}
-}that you either need to write stateful rules (so that the initial connection
-}creates a state that is then used to allow traffic in both directions) or
That's what we currently have set up.
-}you need to create two rules -- one to allow traffic out, the other to
-}allow traffic in. Stateful filtering is generally considered to be more
-}secure, but you then have concerns about properly maintaining state tables,
-}which can be a problem on very busy servers.
Oh? Why is stateful considered more secure? Anybody have links to good
reading on this? I've been through the links in the handbook. Tho' I could
have missed something, I didn't see anything on why stateful is more secure
than in/out.
--
Randy (schulra at earlham.edu) 725.983.1283 <*>
Rain puts a hole in stone because of its constancy, not its force.
- H. Joseph Gerber
More information about the freebsd-questions
mailing list