Re: sloppy states and dsr
> * Ted Unangst <[EMAIL PROTECTED]> [2008-06-20 20:50]: > > One would only use sloppy state tracking on the load balancer, right? > > not necessarily only, but that would be the most common use I bet. > In general, you use it when you cannot avoid it, as in, the other > option is to not filter stateful at all since you don't see all of the > packets for the connection. sloppy state handling use, follow these two rules: rule one: if you exactly understand how to use sloppy state safely, use it NO:otherwise, don't even dream of using it, unless you come from an linux ipfilter world, in which case, it is probably as good as that it is that simple. really. the second basic rule is: if the regular 'strict' state handling does not work for you in specific situations, you probably already already know the problem in enough detail and can use sloppy, for very specific situations which you understand in excruciating detail. if you don't understand those situations exactly go back to NO.
Re: sloppy states and dsr
* Ted Unangst <[EMAIL PROTECTED]> [2008-06-20 20:50]: > One would only use sloppy state tracking on the load balancer, right? not necessarily only, but that would be the most common use I bet. In general, you use it when you cannot avoid it, as in, the other option is to not filter stateful at all since you don't see all of the packets for the connection. > The firewall in front of everything still uses normal tracking? absolutely! -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: sloppy states and dsr
On Sat, Jun 21, 2008 at 09:12:22AM +0900, Ryan McBride wrote: > On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: > > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. > > > > So to say it even more plainly... anywhere you are forced to deal with > > asymetric routing you can use sloppy state in place of not having any > > stateful option. Would that be a fair statement? > > It's a fair statement if by 'forced' you mean, 'compelled beyond your > control, with no other options, having fully understood the consequences > and informed all relevant parties of the risks involved'. This > "feature" is NOT a substitute for good network design. > > sloppy state performs basically NO security checks on the TCP stream; > more importantly the TCP state tracking is extremely loose and it's > trivial for an attacker to spoof creation of "fully-established" TCP > connections, which will not time out for an extremely long time, filling > your state table and blocking legitimate traffic. It's dangerous. Yes, that is what I meant. Thanks for saying it so much better. :) -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: sloppy states and dsr
On Fri, Jun 20, 2008 at 02:47:18PM -0400, Ted Unangst wrote: | One would only use sloppy state tracking on the load balancer, right? | The firewall in front of everything still uses normal tracking? This is why the router should also be running pf/OpenBSD ;) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: sloppy states and dsr
On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote: > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. > > So to say it even more plainly... anywhere you are forced to deal with > asymetric routing you can use sloppy state in place of not having any > stateful option. Would that be a fair statement? It's a fair statement if by 'forced' you mean, 'compelled beyond your control, with no other options, having fully understood the consequences and informed all relevant parties of the risks involved'. This "feature" is NOT a substitute for good network design. sloppy state performs basically NO security checks on the TCP stream; more importantly the TCP state tracking is extremely loose and it's trivial for an attacker to spoof creation of "fully-established" TCP connections, which will not time out for an extremely long time, filling your state table and blocking legitimate traffic. It's dangerous.
Re: sloppy states and dsr
On Fri, Jun 20, 2008 at 08:58:36PM +0200, Pierre-Yves Ritschard wrote: > * Ted Unangst ([EMAIL PROTECTED]) wrote: > > One would only use sloppy state tracking on the load balancer, right? > > The firewall in front of everything still uses normal tracking? > > > > Yes, you use sloppy state only on the host(s) seeing half of the trafic. So to say it even more plainly... anywhere you are forced to deal with asymetric routing you can use sloppy state in place of not having any stateful option. Would that be a fair statement? -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: sloppy states and dsr
* Ted Unangst ([EMAIL PROTECTED]) wrote: > One would only use sloppy state tracking on the load balancer, right? > The firewall in front of everything still uses normal tracking? > Yes, you use sloppy state only on the host(s) seeing half of the trafic.
sloppy states and dsr
One would only use sloppy state tracking on the load balancer, right? The firewall in front of everything still uses normal tracking?