From owner-freebsd-net@FreeBSD.ORG Thu Jan 26 20:40:39 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7C121065741 for ; Thu, 26 Jan 2012 20:40:39 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout028.mac.com (asmtpout028.mac.com [17.148.16.103]) by mx1.freebsd.org (Postfix) with ESMTP id AEEE48FC16 for ; Thu, 26 Jan 2012 20:40:39 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from cswiger1.apple.com (unknown [17.209.4.71]) by asmtp028.mac.com (Oracle Communications Messaging Server 7u4-23.01 (7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPSA id <0LYF00LHG80FW100@asmtp028.mac.com> for freebsd-net@freebsd.org; Thu, 26 Jan 2012 11:41:04 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.6.7361,1.0.211,0.0.0000 definitions=2012-01-26_07:2012-01-26, 2012-01-26, 1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000 definitions=main-1201260219 From: Chuck Swiger In-reply-to: Date: Thu, 26 Jan 2012 11:41:02 -0800 Message-id: References: To: satish amara X-Mailer: Apple Mail (2.1084) Cc: freebsd-net@freebsd.org Subject: Re: stateful firewall implementation in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 20:40:39 -0000 Hi-- On Jan 26, 2012, at 9:24 AM, satish amara wrote: > I have question regarding the size of the state table kept in FreeBSD for > stateful packet inspection. Say we have a valid senario where we have > stateful firewall rule for HTTP and we get lot of incoming new HTTP session > and state table is filled full. In that case I guess FreeBSD would reject > new sessions. Just want to know what is the latest on this. How does > FreeBSD would handle if the state table is full and we get valid new HTTP > connection. What are options in terms of configuration or new feature in > BSD would address this issue. A securely designed firewall will drop connections when the state table is full. You can increase the size of the state table by following the IPF FAQ: http://www.phildev.net/ipf/IPFques.html#ques25 ...but in point of fact, keeping state for high-volume traffic is generally a losing game, and you are better off (IMHO) setting up stateless bidirectional rules which permit such high volume traffic. HTTP isn't generally too much of a problem, though-- something like a popular stratum-1 or 2 public NTP timeserver will easily blow out a stateful firewall if you try to keep state for NTP's UDP traffic. Regards, -- -Chuck