From owner-freebsd-net@FreeBSD.ORG Sat Jan 28 07:06:09 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F1F41065673 for ; Sat, 28 Jan 2012 07:06:09 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id B021F8FC12 for ; Sat, 28 Jan 2012 07:06:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id q0S7669W038679; Sat, 28 Jan 2012 18:06:07 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 28 Jan 2012 18:06:06 +1100 (EST) From: Ian Smith To: Nikolay Denev In-Reply-To: <1A4CBF45-8ABB-4BFB-A83A-2906CBD32667@gmail.com> Message-ID: <20120128175204.L13367@sola.nimnet.asn.au> References: <1A4CBF45-8ABB-4BFB-A83A-2906CBD32667@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: satish amara , freebsd-net@freebsd.org, Kevin Oberman Subject: Re: stateful firewall implementation in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Jan 2012 07:06:09 -0000 On Fri, 27 Jan 2012, Nikolay Denev wrote: > On Jan 27, 2012, at 4:41 AM, Kevin Oberman wrote: > > > On Thu, Jan 26, 2012 at 11:41 AM, Chuck Swiger wrote: > >> Hi-- > >> > >> On Jan 26, 2012, at 9:24 AM, satish amara wrote: > >>> I have question regarding the size of the state table kept in FreeBSD for > >>> stateful packet inspection. Say we have a valid senario where we have > >>> stateful firewall rule for HTTP and we get lot of incoming new HTTP session > >>> and state table is filled full. In that case I guess FreeBSD would reject > >>> new sessions. Just want to know what is the latest on this. How does > >>> FreeBSD would handle if the state table is full and we get valid new HTTP > >>> connection. What are options in terms of configuration or new feature in > >>> BSD would address this issue. > >> > >> A securely designed firewall will drop connections when the state table is full. > >> > >> You can increase the size of the state table by following the IPF FAQ: > >> > >> http://www.phildev.net/ipf/IPFques.html#ques25 > >> > >> ...but in point of fact, keeping state for high-volume traffic is generally > >> a losing game, and you are better off (IMHO) setting up stateless bidirectional > >> rules which permit such high volume traffic. > >> > >> HTTP isn't generally too much of a problem, though-- something like a popular > >> stratum-1 or 2 public NTP timeserver will easily blow out a stateful firewall > >> if you try to keep state for NTP's UDP traffic. > > > > To put it very clearly, a stateful firewall "protecting" a server is > > an open invitation to DOS. It is trivial to generate enough UDP > > traffic to overflow any limit on connections in a stateful firewall. > > Various tricks have been tried but the reality is that none has really > > succeeded. Some do help, but nowhere near enough to solve the problem. > > > > Stateful firewalls are for clients and systems that don't provide > > publicly accessible services. Servers require stateless filters along > > with IDS/IPS for effective protection. > > > > And I do expect to get people saying that you HAVE to have a stateful > > firewall is a basic requirement for a device on the Internet. I can > > only say htat I know of many well known servers that do not have them > > and few that do. There is a reason for that. At my old employer we > > were under government security oversight and I can remember the > > auditors back a few years ago who had a fit when told that no firewall > > was employed, just an IDS/IPS with RTBH. The problem is that their red > > team of attackers never could successfully attack which really annoyed > > them to the point that they tryed toi order that the IDS be disabled > > for their attack attempts. (We refused, siting terms of the testing > > agreement.) > > > > Today, auditors still are a bit surprised that they don't use a > > firewall, but are no longer upset by it as they are seeing it more > > often. > > -- > > R. Kevin Oberman, Network Engineer > > E-mail: kob6558@gmail.com > > > > In my experience (and I've had a few DDoS attacks), the state table > was never an issue (unless left at default settings), the machine > would either die from interrupt/cpu overload, or the pipe will be > filled. For example the pf(4) firewall can be tuned to have millions > of state entries, then you can configure thresholds which reached > will make the existing state entries expire sooner, leaving room for > new ones. > > P.S.: Stateful firewalls are required by the PCI DSS (requirement 1.3.6) Some of us will recall when just about anything .gov (or at least .mil) -related had to be written in ADA. One is left to ponder the relative wisdom of that old and this newer requirement :) cheers, Ian