In some mail from Jeffrey J. Mountin, sie said:
[...]
> >We are not presuming anything of the kind - obviously, any packets that
> >you mean to deny you set up deny rules for. We are talking about
> >a situation where you want to allow a particular outbound service. With
> >your ruleset, you are allowing packets back into the internal network that
> >should never be allowed in there. With a ruleset that involves
> >keep/check-state, you have the same semantics in terms of what you mean to
> >allow, but you deny more packets that shouldn't be allowed. And if you're
> >only setting keep-state on the rules allowing the outbound setup packets,
> >you probably don't have to worry about DoS.
>
> RIght. One can DOS a stateful firewall if any inbound connections are
> allowed. This is something to consider when making the choice. Also if
> you alter the timeouts, which should be just long enough for normal
> operation with some extra for sanity's sake. Once the limit of stateful
> rules is reached there should be some sort of clean-up to reduce the impact
> on legitimate connections. Not sure if IPFW or IPFilter do this, but
> Cisco's PIX handles this by killing off embryonic connections (ie SYN flood).

IPFilter does go looking for "low hanging fruit" to get rid of when it
notices that the limit of stateful sessions has been reached.

Darren

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]