[ILUG] Firewalls... linux -v- BSD
paul at clubi.ie
paul at clubi.ie
Tue Aug 29 22:35:44 IST 2006
On Tue, 29 Aug 2006, Stephen Shirley wrote:
> Can you expand on why? I know i've been using iptables to do stateful
> firewalling for some years, and haven't had issues with it.
Because there is no need to statefully filter TCP, invalid TCP will
be denied by the TCP state machine - what exactly does it achieve to
try replicate that state machine in the middle?
You go from (as far as TCP state is concerned):
A------------B
to
A------C-----B
All you do is introduce ways for C to furk-up.
Next up, imagine that the line between A and B actually consists of
multiple paths, such that your firewalls must be replicated (again
this is in terms of where TCP state is kept):
/-C-----\
A-----| |----B
\-D-----/
Now you get the problem that C and D somehow must have their TCP
state-machines synchronised, or things don't work if a connection's
packets don't go through the same firewall that all previous packets
did.
The idiotic answer at this point is, rather than go "sheesh, maybe
trying to recreate TCP state in the middle /wasn't/ such a good idea
after all?", is to try synchronise the TCP-firewall state between C
and D, noting that:
- you may not be do so any faster than A generates new state.
ie this solution is *full* of broken corner-cases by design.
The correct answer: Just filter out SYNs *statelessly*.
Keep the middle stupid, put the clever stuff at the edges, as Postel
et al intended.
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
The difference between a Miracle and a Fact is exactly the difference
between a mermaid and a seal.
-- Mark Twain
More information about the ILUG
mailing list