[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Note: states with asymmetric routing



On Wed, 2004-11-24 at 01:32, Ilya A. Kovalenko wrote:
>    Greetings,
> 
>   Just note.
> 
>   Stateful inspection on gateway can hamper tcp-connections, when
> inbound or outbound packets goes another route (i.e. when one of
> directions not goes thru gateway).
> 
>   Connection works fine on low rate, but fast transfers stops on
> each 64K (because suddenly PF stops passing packets).
> 
>   I guess, it is not bug, just some feature (like some
> tcp-window-related state protection). So think, is there reasons to
> correct this PF behavior.
> 
> Thank you
> 
> Ilya A. Kovalenko
stateful firewalls are built on the premise that the firewall is in-line
between client and server; and therefore, sees all requests/replies.
asymmetric routing violates that premise; and therefore, all bets are
off.
if you *_must_* do this--allow states to be created on non-SYN packets
(note:  this is an *awful* idea).
i will assume that you do not have delusions that this should work with
NAT-ed connections, because it most certainly will not.
-j
--
"Another day, another box of stolen pens."
	--The Simpsons