Dnia niedziela, 27 października 2013 o 16:33:23 Rumen Telbizov napisał(a):
> > The question is: Is keeping two states for one connection a bad thing or > > is > > > > > it an acceptable practice ? > > > > It's rather a requirement. A packet incoming on one interface creates a > > different state than the same packet outgoing on other interface (even > > without > > if-bound state policy). And you want further, reverse direction packets > > in connections to be matched to existing states and passed instead of > > traversing > > rule list or hitting the block rule. > > Cool. I know the states are different (due to direction differences) but I > was wondering if > there was a way around that to save on the number of states and somehow get > away with > only 1 state. So now I understand having two states per connection is fine. Why shouldn't it be? Searching through states is quite fast. Even with hundreds of thousands of states much faster than going through a few hundreds of rules, from my experience. > I was more curious to know what you and other folks think regarding my > first question: > > *Is there any security risk in me allowing the traffic pass the external > interface and then dropping it on the internal interface?* That depends if the traffic from the Internet can hit the router's IP stack directly. For example if you assign public IPs of servers in VLANs to the router's $ext_if and use nat or route-to to forward traffic to VLANs. Whatever does not hit those rules but is passed on $ext_if, will hit the router itself in such case. -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
