Date: Sun, 15 Sep 2002 08:09:02 +1000 From: Mark.Andrews@isc.org To: Wincent Colaiuta <win@wincent.org> Cc: Mark_Andrews@isc.org, Jason Stone <jason-fbsd-security@shalott.net>, freebsd-security@FreeBSD.ORG Subject: Re: ipfw, natd, and keep-state - strange behavior? Message-ID: <200209142209.g8EM92B5043544@drugs.dv.isc.org> In-Reply-To: Your message of "Sat, 14 Sep 2002 20:45:59 %2B0930." <58D716D2-C7D3-11D6-B5B5-003065C60B4C@wincent.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > El viernes, 13 septiembre, 2002, a las 09:46 AM, Mark.Andrews@isc.org > escribió: > > >> We're replacing: > >> > >> allow tcp from $INET to any 22 setup > >> allow tcp from any 22 to $INET established > >> > >> with > >> > >> check-state > >> allow tcp from $INET to any 22 setup keep-state > >> > >> > >> -Jason > > > > Note: keep-state works well with protocols that are chatty. > > 'ssh' is not chatty. You need to adjust the timeouts to > > support ssh otherwise the rules will timeout. > > > > Mark > > And when you do that you increase your susceptibility to a flood DOS. > So it's all a balancing act and there's no such thing as an > invulnerable system. > > Cheers > Wincent > Well do you want a system that works or one that is slightly more vulnerable to a accidental exhaustion of rule slots. If they are exhausted you need a bigger table to start with. Note. If they are going to DoS you there is no way any particular timeout will prevent that. Also this has to originate from inside as you should have anti-spoofing rule before the keep-state rule. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209142209.g8EM92B5043544>