From owner-freebsd-security Thu Jan 30 9:46:58 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AC6937B401 for ; Thu, 30 Jan 2003 09:46:56 -0800 (PST) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AD8843F79 for ; Thu, 30 Jan 2003 09:46:54 -0800 (PST) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 221764B7DD3 for ; Thu, 30 Jan 2003 12:46:52 -0500 (EST) Received: (qmail 80818 invoked by uid 1001); 30 Jan 2003 17:41:12 -0000 Date: Thu, 30 Jan 2003 12:41:12 -0500 From: Steve Shorter To: Ng Pheng Siong Cc: freebsd-security@FreeBSD.ORG Subject: Re: The way forward....... Message-ID: <20030130124112.A80796@nomad.lets.net> References: <20030127073039.U1537@woody.ops.uunet.co.za> <20030128160332.A79276@nomad.lets.net> <20030130162152.GA40750@vista.netmemetic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20030130162152.GA40750@vista.netmemetic.com>; from ngps@netmemetic.com on Fri, Jan 31, 2003 at 12:21:52AM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jan 31, 2003 at 12:21:52AM +0800, Ng Pheng Siong wrote: > On Tue, Jan 28, 2003 at 04:03:32PM -0500, Steve Shorter wrote: > > On the internal machines I am running just ipfw in > > stateless mode only. > > Any specific reason why? > > I find myself writing stateful rules as a matter of habit, whether the > machine is a gateway or not. > These are high volume web servers. To keep rudundant state information on all of these machines is a waste of resources and defeats much of the purpose of breaking out a dedicated machine for firewalling. A good webserver does not neccessarily make a good statefull firewall. A good firewall can suck as a webserver. Because of ipfilter up front the rules on these machines are very economical and highly efficient. Best not to have to many habits uncritically applied. Statefull firewalls are easily ruined by SYN flood attacks. There are situation where statefull firewalling is inappropriate and uneccessary. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message