LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
From: Glen Turner <glen.turner@aarnet.edu.au>
To : Mark Newton <newton@atdot.dotat.org>
Date: Mon, 28 Feb 2000 19:22:54 +1030
Re: <REQ for comments> : Firewalls
Mark Newton wrote:
>
> FW-1 is supposed to do "stateful inspection," which effectively means
> that each packet is examined in the context of the packets which have
> arrived before it. So, for example, if you allow SMTP traffic through
> it that doesn't mean you're permitting any ol' random TCP packet with a
> destination of port 25, you'll only get packets which are SYN-ACKs or
> continuations of existing SMTP sessions.
>
> Whether this buys you anything is doubtful:
I can't agree here Mark. It buys you protection from TCP-based DoS attacks
and does a lot to prevent TCP session hijaaking.
It also allows programs like FTP to be safely used without any PASV stuffing
about.
The aggregate state count can also be used to implement quite effective
anti-SYN flood code.
> Note, incidentally, that NAT is just a variation on stateful inspection,
> so it isn't like Linux can't be convinced to do it in the very small
> number of cases when you'd actually want it anyway.
Uh, no. NAT is easily DoSed by occupying all 64K ports (eg: with a port
scan). So a NAT gateway for a large company actually presents quite a
reliability risk.
I'd argue that Linux ipchains is good enough for most people. But
better products certainly exist. I don't think FW-1 is the best of those
other products.
What we really need is flow state tracking ASICs at network edges. I
suspect after recent events that they may now be a priority with router
vendors :-)
--
Glen Turner Network Engineer
(08) 8303 3936 Australian Academic and Research Network
glen.turner@aarnet.edu.au http://www.aarnet.edu.au/
--
Earth is a single point of failure
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
Return to the LinuxSA Mailing List Information Page