Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Jan 2012 12:24:50 -0500
From:      satish amara <satishkamara@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   stateful firewall implementation in FreeBSD
Message-ID:  <CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi,
I have question regarding stateful firewall implementation of FreeBSD.
IPF has  stateful =93keep state=94 option.
Stateful filtering treats traffic as a bi-directional exchange of packets
comprising a session conversation. When activated, keep-state dynamically
generates internal rules for each anticipated packet being exchanged during
the bi-directional session conversation. It has sufficient matching
capabilities to determine if the session conversation between the
originating sender and the destination are following the valid procedure of
bi-directional packet exchange. Any packets that do not properly fit the
session conversation template are automatically rejected as impostors.

I have question regarding the size of the state table kept in FreeBSD for
stateful packet inspection. Say we have a valid senario where we have
stateful firewall rule for HTTP and we get lot of incoming new HTTP session
and state table is filled full. In that case I guess FreeBSD would reject
new sessions. Just want to know what is the latest on this. How does
FreeBSD would handle if the state table is full and we get valid new HTTP
connection. What are options in terms of configuration or new feature in
BSD would address this issue.


Thanks,
Satish K Amara



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw>