[ILUG] Firewalls... linux -v- BSD
Paul Mc Auley
paul at peema.org
Tue Aug 29 23:01:48 IST 2006
On Tuesday 29 August 2006 22:35, paul at clubi.ie wrote:
> On Tue, 29 Aug 2006, Stephen Shirley wrote:
> > Can you expand on why? I know i've been using iptables to do stateful
> > firewalling for some years, and haven't had issues with it.
> Because there is no need to statefully filter TCP, invalid TCP will
> be denied by the TCP state machine - what exactly does it achieve to
> try replicate that state machine in the middle?
Not all IP traffic is TCP.
The other classic edge case is FTP, and no matter how much you might want it
otherwise, there are cases where FTP is a requirement.
As to state synchronising trickery between stateful firewalls, I'd generally
consider that a failover solution more than a load balancing one, I'd be
wary of the overhead from trying to keep the management for any non-trivial
number of states synched up as I'd see that getting out of hand in a big
> The correct answer: Just filter out SYNs *statelessly*.
The correct answer is to match your solution to your problem. Just because a
certain solution doesn't match your needs, has caused you trouble in the
past or stolen your sweets doesn't automatically make it the wrong answer
for all cases.
FFS, "NAT is evil?" Do you want everyone to switch to public IPs, right
here, right now? Sure it causes problems for a range of cases, but that
doesn't stop it being usable for home and office networking.
More information about the ILUG