From owner-freebsd-net@FreeBSD.ORG Tue Apr 17 20:18:01 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 866A2106566B for ; Tue, 17 Apr 2012 20:18:01 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0D69B8FC15 for ; Tue, 17 Apr 2012 20:18:00 +0000 (UTC) Received: by wern13 with SMTP id n13so5636876wer.13 for ; Tue, 17 Apr 2012 13:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=BxqmtaBPhOczWT8OE7z3b3txCZ/H3nmXpOzcNSJKv20=; b=dkjHniHtoxNGfpCp5hEX6YA600QKu+89E11Z4sjf0X1/DmvcH7ss+PJd3G7iVGdZVK P+hcXF+DDPt/Fo2Bu4PF3KBboDx5s1AMxZ8vhwHfGzyGKc33+VK4Z6hKQyiQK0yNcPna hHtPhne3ifcMmrlbAATvzz+ilViy5mnKH5vSh5ZafyOVrPS7WSfTLdoiRKGHS57QWV1H e5FPK7kuS/KX0jO4upaJa1JAADNApXv9JasnZjs7kCKfghKzaVdScTfYYItQyTd7YZqD RufBtyFUgINbv9MD5MhNkjXj64AEE4WXxLiIg0pHv/n5XRbmWAQOCBliuE7kTxABBghU 34jQ== MIME-Version: 1.0 Received: by 10.216.132.98 with SMTP id n76mr10024494wei.101.1334693879857; Tue, 17 Apr 2012 13:17:59 -0700 (PDT) Received: by 10.223.54.207 with HTTP; Tue, 17 Apr 2012 13:17:59 -0700 (PDT) In-Reply-To: References: Date: Tue, 17 Apr 2012 13:17:59 -0700 Message-ID: From: Kevin Oberman To: Michael Sierchio Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, "Dmitry S. Kasterin" Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Apr 2012 20:18:01 -0000 On Tue, Apr 17, 2012 at 12:58 PM, Michael Sierchio wro= te: > On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman wrote= : >> >> >> But I do have to ask why you find statefull rules for outgoing TCP >> connections desirable? Why not: >> 00101 allow tcp from me to any established >> > It's useful and appropriate to have outbound connections be stateful. =A0= It's > not a good idea to have inbound connections stateful, as it makes it easy= to > fill up the state table. It is occasionally useful and appropriate to have outbound connections be stateful. I agree that inbound ones are dangerous, but I have managed to DOS myself on an outbound entry. (Yes, it was dumb and involved some horribly written software that kept opening and closing sockets instead of continuing to re-use them.) There can also be no question that they are more complex and, in most cases offer exactly zero advantage over 'established'. it is often simply an automatic action that involves no thought of which is more appropriate. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com