> * Ted Unangst <[EMAIL PROTECTED]> [2008-06-20 20:50]:
> > One would only use sloppy state tracking on the load balancer, right?
>
> not necessarily only, but that would be the most common use I bet.
> In general, you use it when you cannot avoid it, as in, the other
> option is to not filter stateful at all since you don't see all of the
> packets for the connection.
sloppy state handling use, follow these two rules:
rule one:
if you exactly understand how to use sloppy state safely, use it
NO: otherwise, don't even dream of using it, unless you come from
an linux ipfilter world, in which case, it is probably as good
as that
it is that simple. really.
the second basic rule is:
if the regular 'strict' state handling does not work for you in
specific situations, you probably already already know the
problem in enough detail and can use sloppy, for very specific
situations which you understand in excruciating detail. if you
don't understand those situations exactly go back to NO.
