On Wed, 24 Jan 2007 08:26:11 -0800
Alexander Lind <[EMAIL PROTECTED]> wrote:
> If I have a busy http server or cluster (by busy I mean one that gets
> hundreds of thousands of visitors per day), and I use an openbsd
> firewall, should I keep state for all incoming http connections, or
> should I just pass them all in without state and then pass them all out
> without state instead of using states?
>
> I'm afraid the state table will get filled up.
>
> This is on openbsd 3.9
>
> Alec
>
Well, if you want to keep state, and are having trouble with memory,
try
set optimization
aggressive
Aggressively expire connections. This can greatly
reduce the memory usage of the firewall at the cost of dropping idle
connections early.
Don't forget to raise the limits with pfctl.
Or, add more ram, or get a server pool going.
Last time I checked though, clients only talk with the web server on
port 80. So, the only reason you would want to keep state would be if
you have a ruleset like block out all (which is generally only usefull
if you don't trust the users of said machine.) So, just unconditionally
pass port 80 traffic in both directions.
Now I don't think that HTTP uses multiple ports on the server side to
send data to clients. A quick tcpdump on my end seems to confirm this.
tcpdump -n -i fxp0 not broadcast and not arp and not port 53
14:33:47.298032 128.255.167.160.21463 > 72.14.207.99.80: S
1157700480:1157700480(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 2687791993 0> (DF) 14:33:47.329927 64.233.187.99.80
> 128.255.167.160.19807: . ack 1 win 8190 14:33:47.337278 72.14.207.99.80 >
> 128.255.167.160.21463: S 3340868886:3340868886(0) ack 1157700481 win 8190
> <mss 1460> 14:33:47.337345 128.255.167.160.21463 > 72.14.207.99.80: . ack 1
> win 16384 (DF)
14:33:47.337444 128.255.167.160.21463 > 72.14.207.99.80: P 1:479(478)
ack 1 win 16384 (DF)
See? Google is only talking to me on port 80. And it does not look like
rfc2616 mentions any other ports besides 80.
Travers Buda
