On Sep 4, 2013, at 11:17 AM, Janne Johansson <[email protected]> wrote:
> I thought the 10G benchmarks discussed recently showed that the performance
"hit" from keeping state was so small it didn't matter, so you might aswell
just let the default (keep state) be there for those services.
>
>
>
Sorry, my question isn't performance related. I'm concerned about the loss of
security by not tracking state on inbound UDP to services that I provide.
Also, in the past I've discovered issues with udp state keeping on the ntp
service e.g. keeping state on inbound udp degrades the stability of the clocks
once they've synchronized. So, I have a couple of udp services that I don't
want to bother keeping state on and I'm wondering about the security
implications of just not keeping state on any inbound UDP to services that I'm
providing.
In writing this I'm discovering that the root cause of my issues is a pf
ruleset that's overly complicated because I want to assign flows to different
queues. Thus, I'm using:
match in on egress to ($ext_if) port $udp_port_00 queue q_priority tag
INBOUND_UDP
match in on egress to ($ext_if) port $udp_port_01 queue q_default tag
INBOUND_STATELESS
pass in on egress keep state tagged INBOUND_UDP
pass in on egress no state tagged INBOUND_STATELESS
As I read this I'm thinking that there is a better solution to the problem.
-- Chris
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
