> On Mon, 4 Dec 2000, Dane Balia wrote:
>
> > Hi
> >
> > I was wondering, and in cheer ignorance would like to know, if ipchains
> > has no stateful inspection written into it, why is it supported so much
> > and why hasn't it been included?
>
> TCP-based systems keep their own state, and other than some DoS stuff
> (which should be tuned on Internet-accessable hosts anyway), there's no a
> great deal of value from the filter keeping state. Cisco router filtering
> on a normal IOS image isn't stateful either, but it's still the best
> first-line of defense.
>
> Adding mechanisms to keep state increase the complexity of the code, and
> if current state-keeping commercial firewalls are anything to go by, it's
> not easy to get right.
>
> Since the biggest gain for keeping state is UDP or ICMP, and other than
> DNS,
What about normal ftp (not PASV), IIOP, net-meeting, sun-rpc, etc?
Keeping state is necessary if you are to have any chance of allowing
these without opening up huge holes in your firewall.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
