program/binary ip filtering

Randy Schultz schulra at
Thu Apr 19 16:52:16 UTC 2007

Hey Bill,

Tnx much for the input.  I'm the new lead sys admin here.  Been away from
freebsd for far too long.  It's good to be back.  ;>

On Wed, 18 Apr 2007, Bill Moran spaketh thusly:

-}that you either need to write stateful rules (so that the initial connection
-}creates a state that is then used to allow traffic in both directions) or

That's what we currently have set up.

-}you need to create two rules -- one to allow traffic out, the other to
-}allow traffic in.  Stateful filtering is generally considered to be more
-}secure, but you then have concerns about properly maintaining state tables,
-}which can be a problem on very busy servers.

Oh?  Why is stateful considered more secure?  Anybody have links to good
reading on this?  I've been through the links in the handbook.  Tho' I could
have missed something, I didn't see anything on why stateful is more secure
than in/out.  

 Randy    (schulra at      725.983.1283         <*>

Rain puts a hole in stone because of its constancy, not its force.
   - H. Joseph Gerber

More information about the freebsd-questions mailing list