From owner-freebsd-net@FreeBSD.ORG Thu Jan 26 17:49:21 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0476106564A for ; Thu, 26 Jan 2012 17:49:21 +0000 (UTC) (envelope-from satishkamara@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 697118FC15 for ; Thu, 26 Jan 2012 17:49:21 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so1268693obc.13 for ; Thu, 26 Jan 2012 09:49:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=0qAyTg2mILlq1FBYBGpcNmK26F1/MSQBzovM03/QCEY=; b=MVDWkG5NJHm8WxKPJ8ooeaQ5J6xS/g1hvjwZUrRcqAAAJ5u3fEPNJZVL7dXhxfbknr qLyqOeIb9bO5rIww2xZb/3qef0j6sVlNSDMNZoFTS/X89V511ZFxXuAqS60iz30bQ16R ePGsfzb9+0kHsPvdmA9qNY9LX1eKvuxwkjxQY= MIME-Version: 1.0 Received: by 10.182.41.98 with SMTP id e2mr1396419obl.68.1327598690284; Thu, 26 Jan 2012 09:24:50 -0800 (PST) Received: by 10.60.46.69 with HTTP; Thu, 26 Jan 2012 09:24:50 -0800 (PST) Date: Thu, 26 Jan 2012 12:24:50 -0500 Message-ID: From: satish amara To: freebsd-net@freebsd.org X-Mailman-Approved-At: Thu, 26 Jan 2012 19:04:16 +0000 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: stateful firewall implementation in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 17:49:21 -0000 Hi, I have question regarding stateful firewall implementation of FreeBSD. IPF has stateful =93keep state=94 option. Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session conversation. When activated, keep-state dynamically generates internal rules for each anticipated packet being exchanged during the bi-directional session conversation. It has sufficient matching capabilities to determine if the session conversation between the originating sender and the destination are following the valid procedure of bi-directional packet exchange. Any packets that do not properly fit the session conversation template are automatically rejected as impostors. I have question regarding the size of the state table kept in FreeBSD for stateful packet inspection. Say we have a valid senario where we have stateful firewall rule for HTTP and we get lot of incoming new HTTP session and state table is filled full. In that case I guess FreeBSD would reject new sessions. Just want to know what is the latest on this. How does FreeBSD would handle if the state table is full and we get valid new HTTP connection. What are options in terms of configuration or new feature in BSD would address this issue. Thanks, Satish K Amara