[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Keep-state question
From:       "David F. Newman" <dnewman () cmgi ! com>
Date:       2003-06-03 20:17:30
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,
I have a purely conceptual question regarding keep-state.  Say one
has a DNS server and your default rules are block out and block in.
Then you open up general outbound UDP with 
pass out quick proto udp keep state.
This would allow outbound UDP DNS queries.  Then one could add
pass in quick proto udp port = 53 keep state
To allow inbound UDP DNS requests and use keep state so that the
return packet is not caught by the general UDP outbound keep state.

I am wondering, since I am allowing DNS from anywhere to anywhere,
that it might be better to not use keep state for UDP DNS, that it will
just induce undo load on the state table.  I could put at the top of the
ruleset
pass in quick proto udp port = 53
pass out quick proto udp port = 53.
Thereby bypassing the state table all together.

Does anyone have any thoughts as to which method is better?

- -Dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iD4DBQE+3QJau3B/p4jCw/IRAgrOAJ9kTDgMY9nJ1BDk4FrhEfrzFqQAeACVEc7h
7W4dXwa3OxAM2aeXPcTNXg==
=jezT
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]