Re: keep state for http connections

Thu, 25 Jan 2007 15:59:55 -0800 

Brian Candler wrote:

On Wed, Jan 24, 2007 at 02:39:42PM -0600, Travers Buda wrote:

Last time I checked though, clients only talk with the web server on
port 80. So, the only reason you would want to keep state would be if
you have a ruleset like block out all (which is generally only usefull
if you don't trust the users of said machine.) So, just unconditionally
pass port 80 traffic in both directions.


But then your firewall doesn't protect your webservers from SYN floods and
sequence number guessing attacks.

See "synproxy state" in pf.conf(5)



Just keep the full state in and there isn't any problem to have very 
busy web server properly configure handle the traffic with PF what so 
ever and also blocking outgoing not wanted traffic as well. I do it and 
did it for a long time without any problem what so ever, including CARP 
as well.



Use PF as it is intended to be use and design for. It can take a lots 
more then you think.


It is design to keep state efficiently, so do it and be sleeping well.

Best,

Daniel



# pfctl -s i
Status: Enabled for 47 days 18:15:24          Debug: Urgent

Interface Stats for bge0              IPv4             IPv6
  Bytes In                    424210935173              384
  Bytes Out                   279558104364                0
  Packets In
    Passed                       525093960                0
    Blocked                        1832643                6
  Packets Out
    Passed                       468256966                0
    Blocked                         375637                0

State Table                          Total             Rate
  current entries                      319
  searches                       995552503          241.3/s
  inserts                         16346924            4.0/s
  removals                        16346894            4.0/s
Counters
  match                           18430186            4.5/s
  bad-offset                             0            0.0/s
  fragment                              78            0.0/s
  short                                  0            0.0/s
  normalize                             73            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                         6438            0.0/s
  state-mismatch                    118358            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              1            0.0/s
  synproxy                               0            0.0/s
# pfctl -s m
states        hard limit    50000
src-nodes     hard limit    50000
frags         hard limit    25000
tables        hard limit     1000
table-entries hard limit   250000
# pfctl -s t
tcp.first                    30s
tcp.opening                   5s
tcp.established           18000s
tcp.closing                  60s
tcp.finwait                  30s
tcp.closed                   30s
tcp.tsdiff                   10s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            30000 states
adaptive.end              60000 states
src.track                     0s
#















    











					Reply via email to