On Tuesday 29 August 2006 22:35, paul at clubi.ie wrote:
> On Tue, 29 Aug 2006, Stephen Shirley wrote:
> > Can you expand on why? I know i've been using iptables to do stateful
> > firewalling for some years, and haven't had issues with it.
> Because there is no need to statefully filter TCP, invalid TCP will
> be denied by the TCP state machine - what exactly does it achieve to
> try replicate that state machine in the middle?
[cough]
Not all IP traffic is TCP.
The other classic edge case is FTP, and no matter how much you might want it
otherwise, there are cases where FTP is a requirement.
As to state synchronising trickery between stateful firewalls, I'd generally
consider that a failover solution more than a load balancing one, I'd be
wary of the overhead from trying to keep the management for any non-trivial
number of states synched up as I'd see that getting out of hand in a big
hurry.
> The correct answer: Just filter out SYNs *statelessly*.
The correct answer is to match your solution to your problem. Just because a
certain solution doesn't match your needs, has caused you trouble in the
past or stolen your sweets doesn't automatically make it the wrong answer
for all cases.
FFS, "NAT is evil?" Do you want everyone to switch to public IPs, right
here, right now? Sure it causes problems for a range of cases, but that
doesn't stop it being usable for home and office networking.
Paul
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
