Date: Thu, 19 Apr 2007 12:33:30 -0400 (EDT) From: Randy Schultz <schulra@earlham.edu> To: Bill Moran <wmoran@potentialtech.com> Cc: Kevin Hunter <hunteke@earlham.edu>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: program/binary ip filtering Message-ID: <Pine.BSF.4.64.0704191047040.88620@tdream.lly.earlham.edu> In-Reply-To: <20070418153224.ee867438.wmoran@potentialtech.com> References: <669BB85F-59F2-4DDE-ADAA-0111A0E85967@earlham.edu> <20070418144246.bab7d6d5.wmoran@potentialtech.com> <D78E83C6-6EC4-4656-90A7-8ABEC0E5406F@earlham.edu> <20070418153224.ee867438.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Bill, Tnx much for the input. I'm the new lead sys admin here. Been away from freebsd for far too long. It's good to be back. ;> On Wed, 18 Apr 2007, Bill Moran spaketh thusly: -} -}that you either need to write stateful rules (so that the initial connection -}creates a state that is then used to allow traffic in both directions) or That's what we currently have set up. -}you need to create two rules -- one to allow traffic out, the other to -}allow traffic in. Stateful filtering is generally considered to be more -}secure, but you then have concerns about properly maintaining state tables, -}which can be a problem on very busy servers. Oh? Why is stateful considered more secure? Anybody have links to good reading on this? I've been through the links in the handbook. Tho' I could have missed something, I didn't see anything on why stateful is more secure than in/out. -- Randy (schulra@earlham.edu) 725.983.1283 <*> Rain puts a hole in stone because of its constancy, not its force. - H. Joseph Gerber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.64.0704191047040.88620>