Date: Thu, 26 Jan 2012 12:24:50 -0500 From: satish amara <satishkamara@gmail.com> To: freebsd-net@freebsd.org Subject: stateful firewall implementation in FreeBSD Message-ID: <CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I have question regarding stateful firewall implementation of FreeBSD. IPF has stateful =93keep state=94 option. Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session conversation. When activated, keep-state dynamically generates internal rules for each anticipated packet being exchanged during the bi-directional session conversation. It has sufficient matching capabilities to determine if the session conversation between the originating sender and the destination are following the valid procedure of bi-directional packet exchange. Any packets that do not properly fit the session conversation template are automatically rejected as impostors. I have question regarding the size of the state table kept in FreeBSD for stateful packet inspection. Say we have a valid senario where we have stateful firewall rule for HTTP and we get lot of incoming new HTTP session and state table is filled full. In that case I guess FreeBSD would reject new sessions. Just want to know what is the latest on this. How does FreeBSD would handle if the state table is full and we get valid new HTTP connection. What are options in terms of configuration or new feature in BSD would address this issue. Thanks, Satish K Amara
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw>