Date: Sun, 27 Oct 2013 23:03:24 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: Re: PF sanity check Message-ID: <201310272303.24096.vegeta@tuxpowered.net> In-Reply-To: <CAENR%2B_VpxkefiYNoeOQ-3hLA86jt08tgy8Yn=rTzOdCqi45Y2A@mail.gmail.com> References: <CAENR%2B_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com> <201310270128.47766.vegeta@tuxpowered.net> <CAENR%2B_VpxkefiYNoeOQ-3hLA86jt08tgy8Yn=rTzOdCqi45Y2A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia niedziela, 27 pa=C5=BAdziernika 2013 o 16:33:23 Rumen Telbizov napisa= =C5=82(a): > > The question is: Is keeping two states for one connection a bad thing or > > is > >=20 > > > it an acceptable practice ? > >=20 > > It's rather a requirement. A packet incoming on one interface creates a > > different state than the same packet outgoing on other interface (even > > without > > if-bound state policy). And you want further, reverse direction packets > > in connections to be matched to existing states and passed instead of > > traversing > > rule list or hitting the block rule. >=20 > Cool. I know the states are different (due to direction differences) but I > was wondering if > there was a way around that to save on the number of states and somehow g= et > away with > only 1 state. So now I understand having two states per connection is fin= e. Why shouldn't it be? Searching through states is quite fast. Even with hund= reds=20 of thousands of states much faster than going through a few hundreds of rul= es,=20 from my experience. > I was more curious to know what you and other folks think regarding my > first question: >=20 > *Is there any security risk in me allowing the traffic pass the external > interface and then dropping it on the internal interface?* That depends if the traffic from the Internet can hit the router's IP stack= =20 directly. For example if you assign public IPs of servers in VLANs to the=20 router's $ext_if and use nat or route-to to forward traffic to VLANs. Whate= ver=20 does not hit those rules but is passed on $ext_if, will hit the router itse= lf=20 in such case. =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310272303.24096.vegeta>