> Date: Thu, 09 Sep 2010 22:03:10 +0400 > From: "Marat N.Afanasyev" <[email protected]> > Sender: [email protected] > > Gareth de Vaux wrote: > > Hi again, I use some keep-state rules in ipfw, but get the following > > kernel message: > > > > kernel: ipfw: install_state: Too many dynamic rules > > > > when presumably my state table reaches its limit (and I effectively > > get DoS'd). > > > > netstat shows tons of connections in FIN_WAIT_2 state, mostly to > > my webserver. Consequently net.inet.ip.fw.dyn_count is large too. > > > > I can increase my net.inet.ip.fw.dyn_max but the new limit will > > simply be reached later on. > > > > I currently get around this with a cronjob that sets > > net.inet.ip.fw.dyn_keepalive to 0 for just less than 5 minutes > > every night. If I leave it at 0 for longer or indefinitely then > > idle ssh sessions and the like are dropped. This works fine for > > me but it looks like there's some bug with net.inet.ip.fw.dyn_keepalive=1? > > Or with Apache? > > > > I'm using 8.1-STABLE, GENERIC kernel. Experienced the same behaviour > > on 8.0-RELEASE, but not on 6.1-RELEASE where I had a similar setup. I > > have a KeepAliveTimeout of 4 in Apache (2.2.16). > > _______________________________________________ > > [email protected] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "[email protected]" > > > I wonder, are these dynamic rules really necessary? let's see, a client > connects to your web-server and you immediately should create a new > dynamic rule, therefore you participate in this DoS attack as well as > attacker. ;)
I'll be more blunt...stateful firewalls should NEVER be placed in front of externally accessible services. Access filters are fine, but stateful firewalls are nothing but a denial of service waiting to happen. Security pros have always know this, but too many folks insist that there be a firewall in front of everything and that is simply an invitation to problems. Marat is right! Just don't even try. An attacker can ALWAYS overwhelm the state tables in a stateful firewall. It's just way too easy. There was a long discussion of this a while back on a network ops list I participate in and noobs kept claiming that you have to have a stateful firewall in front of everything while the real operational security folks (like those at Y! and Google) kept explaining that it just does not work. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [email protected] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[email protected]"
