nanog mailing list archives
Re: I don't need no stinking firewall!
From: James Hess <mysidia () gmail com>
Date: Sun, 10 Jan 2010 02:48:54 -0600
On Fri, Jan 8, 2010 at 10:48 AM, Joe Greco <jgreco () ns sol net> wrote:
Putting a stateful firewall in front of that would be dumb; the server is completely capable of coping with the superfluous SYN's in a much more competent manner than the firewall.
The trouble with blanket statements about "all stateful firewalls" and "all servers" is there are lots of different firewall and server platforms. Stateful firewalls can implement SYN cookies, and at least a couple do. Firewalls do not need to build a state entry for partial TCP sessions, there are a few different things that can be done, such as the firewall answering on behalf of the server (using SYN cookies) and negotiating connection with the server after the final ACK. As a result, spoofed TCP packets don't consume state. Multiple IPs they can _receive_ traffic to required, next? Spoofed UDP is a much bigger problem, because there is no connection establishment. And it's probably not sane to put certain public-facing UDP services such as large public DNS service IPs (e.g. 8.8.8.8) behind most forms of stateful filter. But that's not the average case, by any means, most servers are not DNS servers. Servers consume state just like firewalls do.... E.g. A public FTP server that opens a process for each connection, goes down in a connection flood, when kernel process slots are used up, long before the firewall. Servers running a robust OS completely and correctly configured to perfectly protect themsleves (resource limits, etc), no Windows OSes, with unwanted open ports, is a wholly unwarranted assumption for real-world server environments. In the best cases it does hold up (to a great extent). In other cases, it's an operational fantasy; it would be nice if that could be relied upon.... --- -J
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Warren Kumari (Jan 13)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 13)
- Re: I don't need no stinking firewall! Bill Stewart (Jan 14)
- Re: I don't need no stinking firewall! Joe Maimon (Jan 14)
- Re: I don't need no stinking firewall! Valdis . Kletnieks (Jan 08)
- Re: I don't need no stinking firewall! Joe Greco (Jan 08)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! William Herrin (Jan 10)
- Re: I don't need no stinking firewall! James Hess (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- Re: I don't need no stinking firewall! Joe Greco (Jan 10)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! Mark Smith (Jan 06)
- Re: I don't need no stinking firewall! William Pitcock (Jan 05)
- Re: I don't need no stinking firewall! Joe Greco (Jan 06)