Date: Thu, 26 Jan 2012 18:41:54 -0800 From: Kevin Oberman <kob6558@gmail.com> To: Chuck Swiger <cswiger@mac.com> Cc: satish amara <satishkamara@gmail.com>, freebsd-net@freebsd.org Subject: Re: stateful firewall implementation in FreeBSD Message-ID: <CAN6yY1t=t6GbQ%2BQsL42oPpbnFqXgd8pEa34C0f4upvnuCLT4qQ@mail.gmail.com> In-Reply-To: <BA1423A6-818D-4608-95CB-3F488B9FF245@mac.com> References: <CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw@mail.gmail.com> <BA1423A6-818D-4608-95CB-3F488B9FF245@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 26, 2012 at 11:41 AM, Chuck Swiger <cswiger@mac.com> wrote: > Hi-- > > On Jan 26, 2012, at 9:24 AM, satish amara wrote: >> I have question regarding the size of the state table kept in FreeBSD fo= r >> stateful packet inspection. Say we have a valid senario where we have >> stateful firewall rule for HTTP and we get lot of incoming new HTTP sess= ion >> and state table is filled full. In that case I guess FreeBSD would rejec= t >> new sessions. =A0Just want to know what is the latest on this. How does >> FreeBSD would handle if the state table is full and we get valid new HTT= P >> connection. What are options in terms of configuration or new feature in >> BSD would address this issue. > > A securely designed firewall will drop connections when the state table i= s full. > > You can increase the size of the state table by following the IPF FAQ: > > =A0http://www.phildev.net/ipf/IPFques.html#ques25 > > ...but in point of fact, keeping state for high-volume traffic is general= ly > a losing game, and you are better off (IMHO) setting up stateless bidirec= tional > rules which permit such high volume traffic. > > HTTP isn't generally too much of a problem, though-- something like a pop= ular > stratum-1 or 2 public NTP timeserver will easily blow out a stateful fire= wall > if you try to keep state for NTP's UDP traffic. To put it very clearly, a stateful firewall "protecting" a server is an open invitation to DOS. It is trivial to generate enough UDP traffic to overflow any limit on connections in a stateful firewall. Various tricks have been tried but the reality is that none has really succeeded. Some do help, but nowhere near enough to solve the problem. Stateful firewalls are for clients and systems that don't provide publicly accessible services. Servers require stateless filters along with IDS/IPS for effective protection. And I do expect to get people saying that you HAVE to have a stateful firewall is a basic requirement for a device on the Internet. I can only say htat I know of many well known servers that do not have them and few that do. There is a reason for that. At my old employer we were under government security oversight and I can remember the auditors back a few years ago who had a fit when told that no firewall was employed, just an IDS/IPS with RTBH. The problem is that their red team of attackers never could successfully attack which really annoyed them to the point that they tryed toi order that the IDS be disabled for their attack attempts. (We refused, siting terms of the testing agreement.) Today, auditors still are a bit surprised that they don't use a firewall, but are no longer upset by it as they are seeing it more often. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1t=t6GbQ%2BQsL42oPpbnFqXgd8pEa34C0f4upvnuCLT4qQ>