[ILUG] Firewalls... linux -v- BSD
Stephen Shirley
diamond at skynet.ie
Tue Aug 29 22:45:42 IST 2006
On 29/08/06, paul at clubi.ie <paul at clubi.ie> wrote:
> Because there is no need to statefully filter TCP, invalid TCP will
> be denied by the TCP state machine - what exactly does it achieve to
> try replicate that state machine in the middle?
It helps deal with broken protocols such as ftp and irc-dcc, no? It
also means you don't have to run a firewall on each individual machine
to prevent an information leak, as i understand it.
> Next up, imagine that the line between A and B actually consists of
> multiple paths, such that your firewalls must be replicated (again
> this is in terms of where TCP state is kept):
Steady on there. I would consider that to be an unusual layout, and
yes, certainly not one i would attempt to do stateful wirewalling on.
Just because it doesn't apply in a corner case doesn't make it
generally a bad idea however.
Steve
--
"You are technically correct, the best kind of correct."
- Bureaucrat 1.0, Futurama
More information about the ILUG
mailing list