Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Apr 2012 13:17:59 -0700
From:      Kevin Oberman <kob6558@gmail.com>
To:        Michael Sierchio <kudzu@tenebras.com>
Cc:        freebsd-net@freebsd.org, "Dmitry S. Kasterin" <dmk.sbor@gmail.com>
Subject:   Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states
Message-ID:  <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com>
In-Reply-To: <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com>
References:  <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Apr 17, 2012 at 12:58 PM, Michael Sierchio <kudzu@tenebras.com> wro=
te:
> On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6558@gmail.com> wrote=
:
>>
>>
>> But I do have to ask why you find statefull rules for outgoing TCP
>> connections desirable? Why not:
>> 00101 allow tcp from me to any established
>>
> It's useful and appropriate to have outbound connections be stateful. =A0=
It's
> not a good idea to have inbound connections stateful, as it makes it easy=
 to
> fill up the state table.

It is occasionally useful and appropriate to have outbound connections
be stateful. I agree that inbound ones are dangerous, but I have
managed to DOS myself on an outbound entry. (Yes, it was dumb and
involved some horribly written software that kept opening and closing
sockets instead of continuing to re-use them.)

There can also be no question that they are more complex and, in most
cases offer exactly zero advantage over 'established'. it is often
simply an automatic action that involves no thought of which is more
appropriate.
--=20
R. Kevin Oberman, Network Engineer
E-mail: kob6558@gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg>