On Tue, Apr 17, 2012 at 12:58 PM, Michael Sierchio <ku...@tenebras.com> wrote:
> On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman <kob6...@gmail.com> wrote:
>>
>>
>> But I do have to ask why you find statefull rules for outgoing TCP
>> connections desirable? Why not:
>> 00101 allow tcp from me to any established
>>
> It's useful and appropriate to have outbound connections be stateful.  It's
> not a good idea to have inbound connections stateful, as it makes it easy to
> fill up the state table.

It is occasionally useful and appropriate to have outbound connections
be stateful. I agree that inbound ones are dangerous, but I have
managed to DOS myself on an outbound entry. (Yes, it was dumb and
involved some horribly written software that kept opening and closing
sockets instead of continuing to re-use them.)

There can also be no question that they are more complex and, in most
cases offer exactly zero advantage over 'established'. it is often
simply an automatic action that involves no thought of which is more
appropriate.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to