stateful firewall implementation in FreeBSD
satish amara
satishkamara at gmail.com
Thu Jan 26 17:49:21 UTC 2012
Hi,
I have question regarding stateful firewall implementation of FreeBSD.
IPF has stateful “keep state” option.
Stateful filtering treats traffic as a bi-directional exchange of packets
comprising a session conversation. When activated, keep-state dynamically
generates internal rules for each anticipated packet being exchanged during
the bi-directional session conversation. It has sufficient matching
capabilities to determine if the session conversation between the
originating sender and the destination are following the valid procedure of
bi-directional packet exchange. Any packets that do not properly fit the
session conversation template are automatically rejected as impostors.
I have question regarding the size of the state table kept in FreeBSD for
stateful packet inspection. Say we have a valid senario where we have
stateful firewall rule for HTTP and we get lot of incoming new HTTP session
and state table is filled full. In that case I guess FreeBSD would reject
new sessions. Just want to know what is the latest on this. How does
FreeBSD would handle if the state table is full and we get valid new HTTP
connection. What are options in terms of configuration or new feature in
BSD would address this issue.
Thanks,
Satish K Amara
More information about the freebsd-net
mailing list