From owner-freebsd-questions@FreeBSD.ORG  Thu Apr 19 16:52:16 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 19F5916A404
	for <freebsd-questions@freebsd.org>;
	Thu, 19 Apr 2007 16:52:16 +0000 (UTC)
	(envelope-from schulra@earlham.edu)
Received: from sipala.earlham.edu (sipala.earlham.edu [159.28.1.75])
	by mx1.freebsd.org (Postfix) with ESMTP id D37C613C46A
	for <freebsd-questions@freebsd.org>;
	Thu, 19 Apr 2007 16:52:15 +0000 (UTC)
	(envelope-from schulra@earlham.edu)
Received: from tdream.lly.earlham.edu (tdream.lly.earlham.edu [159.28.7.241])
	by sipala.earlham.edu (8.13.6/8.13.6) with ESMTP id l3JGX8Ja025743; 
	Thu, 19 Apr 2007 12:33:08 -0400 (EDT)
Date: Thu, 19 Apr 2007 12:33:30 -0400 (EDT)
From: Randy Schultz <schulra@earlham.edu>
X-X-Sender: schulra@tdream.lly.earlham.edu
To: Bill Moran <wmoran@potentialtech.com>
In-Reply-To: <20070418153224.ee867438.wmoran@potentialtech.com>
Message-ID: <Pine.BSF.4.64.0704191047040.88620@tdream.lly.earlham.edu>
References: <669BB85F-59F2-4DDE-ADAA-0111A0E85967@earlham.edu>
	<20070418144246.bab7d6d5.wmoran@potentialtech.com>
	<D78E83C6-6EC4-4656-90A7-8ABEC0E5406F@earlham.edu>
	<20070418153224.ee867438.wmoran@potentialtech.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: Kevin Hunter <hunteke@earlham.edu>,
	FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: program/binary ip filtering
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2007 16:52:16 -0000

Hey Bill,

Tnx much for the input.  I'm the new lead sys admin here.  Been away from
freebsd for far too long.  It's good to be back.  ;>

On Wed, 18 Apr 2007, Bill Moran spaketh thusly:

-}
-}that you either need to write stateful rules (so that the initial connection
-}creates a state that is then used to allow traffic in both directions) or

That's what we currently have set up.

-}you need to create two rules -- one to allow traffic out, the other to
-}allow traffic in.  Stateful filtering is generally considered to be more
-}secure, but you then have concerns about properly maintaining state tables,
-}which can be a problem on very busy servers.

Oh?  Why is stateful considered more secure?  Anybody have links to good
reading on this?  I've been through the links in the handbook.  Tho' I could
have missed something, I didn't see anything on why stateful is more secure
than in/out.  

--
 Randy    (schulra@earlham.edu)      725.983.1283         <*>

Rain puts a hole in stone because of its constancy, not its force.
   - H. Joseph Gerber