On 1/24/07, Travers Buda <[EMAIL PROTECTED]> wrote: > Last time I checked though, clients only talk with the web server on > port 80. So, the only reason you would want to keep state would be if > you have a ruleset like block out all (which is generally only usefull > if you don't trust the users of said machine.) So, just unconditionally > pass port 80 traffic in both directions.
That was really bad advice. Stateful filtering is much more efficient, and that is very important for a firewall handling thousands of connections. The default state limit of 10,000 is pretty reasonable and you can change it easily. I usually have around 100,000 states on my firewall. You can also put limits on the number of states each client can create to prevent Denial of Service. In my opinion, it is best to keep state unless you have a reason NOT to. Keeping state will soon be the default behavior in pf...that says something about it. Also see the three articles Daniel Hartmeier wrote: http://undeadly.org/cgi?action=article&sid=20060927091645 -- Kian Mohageri
