Date: Thu, 26 Jan 2012 11:41:02 -0800 From: Chuck Swiger <cswiger@mac.com> To: satish amara <satishkamara@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: stateful firewall implementation in FreeBSD Message-ID: <BA1423A6-818D-4608-95CB-3F488B9FF245@mac.com> In-Reply-To: <CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw@mail.gmail.com> References: <CAGSLe_G1u9hc5NuxVKQqqezWEu8i_5ChLqxc2LTRwTCcmEO3Lw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi-- On Jan 26, 2012, at 9:24 AM, satish amara wrote: > I have question regarding the size of the state table kept in FreeBSD for > stateful packet inspection. Say we have a valid senario where we have > stateful firewall rule for HTTP and we get lot of incoming new HTTP session > and state table is filled full. In that case I guess FreeBSD would reject > new sessions. Just want to know what is the latest on this. How does > FreeBSD would handle if the state table is full and we get valid new HTTP > connection. What are options in terms of configuration or new feature in > BSD would address this issue. A securely designed firewall will drop connections when the state table is full. You can increase the size of the state table by following the IPF FAQ: http://www.phildev.net/ipf/IPFques.html#ques25 ...but in point of fact, keeping state for high-volume traffic is generally a losing game, and you are better off (IMHO) setting up stateless bidirectional rules which permit such high volume traffic. HTTP isn't generally too much of a problem, though-- something like a popular stratum-1 or 2 public NTP timeserver will easily blow out a stateful firewall if you try to keep state for NTP's UDP traffic. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BA1423A6-818D-4608-95CB-3F488B9FF245>