[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Note: states with asymmetric routing
On Wed, 2004-11-24 at 01:32, Ilya A. Kovalenko wrote:
> Just note.
> Stateful inspection on gateway can hamper tcp-connections, when
> inbound or outbound packets goes another route (i.e. when one of
> directions not goes thru gateway).
> Connection works fine on low rate, but fast transfers stops on
> each 64K (because suddenly PF stops passing packets).
> I guess, it is not bug, just some feature (like some
> tcp-window-related state protection). So think, is there reasons to
> correct this PF behavior.
> Thank you
> Ilya A. Kovalenko
stateful firewalls are built on the premise that the firewall is in-line
between client and server; and therefore, sees all requests/replies.
asymmetric routing violates that premise; and therefore, all bets are
if you *_must_* do this--allow states to be created on non-SYN packets
(note: this is an *awful* idea).
i will assume that you do not have delusions that this should work with
NAT-ed connections, because it most certainly will not.
"Another day, another box of stolen pens."