Date: Tue, 17 Apr 2012 13:17:59 -0700 From: Kevin Oberman <kob6558@gmail.com> To: Michael Sierchio <kudzu@tenebras.com> Cc: freebsd-net@freebsd.org, "Dmitry S. Kasterin" <dmk.sbor@gmail.com> Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com> In-Reply-To: <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 17, 2012 at 12:58 PM, Michael Sierchio <kudzu@tenebras.com> wro= te: > On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6558@gmail.com> wrote= : >> >> >> But I do have to ask why you find statefull rules for outgoing TCP >> connections desirable? Why not: >> 00101 allow tcp from me to any established >> > It's useful and appropriate to have outbound connections be stateful. =A0= It's > not a good idea to have inbound connections stateful, as it makes it easy= to > fill up the state table. It is occasionally useful and appropriate to have outbound connections be stateful. I agree that inbound ones are dangerous, but I have managed to DOS myself on an outbound entry. (Yes, it was dumb and involved some horribly written software that kept opening and closing sockets instead of continuing to re-use them.) There can also be no question that they are more complex and, in most cases offer exactly zero advantage over 'established'. it is often simply an automatic action that involves no thought of which is more appropriate. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg>