stateful firewall implementation in FreeBSD
Chuck Swiger
cswiger at mac.com
Thu Jan 26 20:40:39 UTC 2012
Hi--
On Jan 26, 2012, at 9:24 AM, satish amara wrote:
> I have question regarding the size of the state table kept in FreeBSD for
> stateful packet inspection. Say we have a valid senario where we have
> stateful firewall rule for HTTP and we get lot of incoming new HTTP session
> and state table is filled full. In that case I guess FreeBSD would reject
> new sessions. Just want to know what is the latest on this. How does
> FreeBSD would handle if the state table is full and we get valid new HTTP
> connection. What are options in terms of configuration or new feature in
> BSD would address this issue.
A securely designed firewall will drop connections when the state table is full.
You can increase the size of the state table by following the IPF FAQ:
http://www.phildev.net/ipf/IPFques.html#ques25
...but in point of fact, keeping state for high-volume traffic is generally
a losing game, and you are better off (IMHO) setting up stateless bidirectional
rules which permit such high volume traffic.
HTTP isn't generally too much of a problem, though-- something like a popular
stratum-1 or 2 public NTP timeserver will easily blow out a stateful firewall
if you try to keep state for NTP's UDP traffic.
Regards,
--
-Chuck
More information about the freebsd-net
mailing list