[ILUG] Firewalls... linux -v- BSD

[paul at clubi.ie]

On Tue, 29 Aug 2006, Stephen Shirley wrote:

> Can you expand on why? I know i've been using iptables to do stateful
> firewalling for some years, and haven't had issues with it.

Because there is no need to statefully filter TCP, invalid TCP will 
be denied by the TCP state machine - what exactly does it achieve to 
try replicate that state machine in the middle?

You go from (as far as TCP state is concerned):

 	A------------B

to

 	A------C-----B

All you do is introduce ways for C to furk-up.

Next up, imagine that the line between A and B actually consists of 
multiple paths, such that your firewalls must be replicated (again 
this is in terms of where TCP state is kept):

 	      /-C-----\
 	A-----|       |----B
 	      \-D-----/

Now you get the problem that C and D somehow must have their TCP 
state-machines synchronised, or things don't work if a connection's 
packets don't go through the same firewall that all previous packets 
did.

The idiotic answer at this point is, rather than go "sheesh, maybe 
trying to recreate TCP state in the middle /wasn't/ such a good idea 
after all?", is to try synchronise the TCP-firewall state between C 
and D, noting that:

   - you may not be do so any faster than A generates new state.

ie this solution is *full* of broken corner-cases by design.

The correct answer: Just filter out SYNs *statelessly*.

Keep the middle stupid, put the clever stuff at the edges, as Postel 
et al intended.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
The difference between a Miracle and a Fact is exactly the difference
between a mermaid and a seal.
 		-- Mark Twain