Date: Thu, 30 Jan 2003 12:41:12 -0500 From: Steve Shorter <steve@nomad.lets.net> To: Ng Pheng Siong <ngps@netmemetic.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward....... Message-ID: <20030130124112.A80796@nomad.lets.net> In-Reply-To: <20030130162152.GA40750@vista.netmemetic.com>; from ngps@netmemetic.com on Fri, Jan 31, 2003 at 12:21:52AM %2B0800 References: <20030127073039.U1537@woody.ops.uunet.co.za> <20030128160332.A79276@nomad.lets.net> <20030130162152.GA40750@vista.netmemetic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 31, 2003 at 12:21:52AM +0800, Ng Pheng Siong wrote: > On Tue, Jan 28, 2003 at 04:03:32PM -0500, Steve Shorter wrote: > > On the internal machines I am running just ipfw in > > stateless mode only. > > Any specific reason why? > > I find myself writing stateful rules as a matter of habit, whether the > machine is a gateway or not. > These are high volume web servers. To keep rudundant state information on all of these machines is a waste of resources and defeats much of the purpose of breaking out a dedicated machine for firewalling. A good webserver does not neccessarily make a good statefull firewall. A good firewall can suck as a webserver. Because of ipfilter up front the rules on these machines are very economical and highly efficient. Best not to have to many habits uncritically applied. Statefull firewalls are easily ruined by SYN flood attacks. There are situation where statefull firewalling is inappropriate and uneccessary. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030130124112.A80796>