* Daniel Malament <dani...@bluetiger.net> [2009-09-12 23:04]:
> 1) The big one is what I would call the 'double state problem'. It
> seems to me that the big disadvantage of a default-deny ruleset is that
> because explicit pass rules are required on all interfaces, traffic
> passing through the firewall machine needs state on all interfaces. This
> isn't a problem for most applications, but it seems like it would be a
> memory issue for large routers.
there's no memory problem really. you will have memory bandwidth / bus
bandwidth / interface bandwidth maxed out long before memory for the
states becomes an issue. i am not aware of a _single_ case of state
table size problem in at least 5 years (in the early days the pools
used had limitations that actually made that a bit problematic, but
that is long solved).
you want default deny and double states... really. not bored enough to
write that down again tho.
and if you don't like the double states you can still set skip on one
of the interfaces. but understand the consequences.
> pass on $int_if no state
ugh.
stateless = slow.
> 2) The other (shorter) question:
> If I want one of my internal networks to be able to access the internet,
> but not be able to access my other internal networks, is
>
> ---
> table <non_local> { 0.0.0.0/0 !$int_net1 !$int_net2 }
> block all
> pass in on $int_net3 from any to <non_local>
> [etc]
> ---
>
> better or worse in speed and resources than
>
> ---
> block all
> pass in on $int_net3
> block in on $int_net3 from any to $int_net1:network
> block in on $int_net3 from any to $int_net2:network
> [etc]
> ---
won't make a difference that matters.
with just 3 entries they are probably about the same, the more entries
the more advantage for the table.
but then the optimizer will make that a table anyway (exceptions apply)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
