I don't need no stinking firewall!

Brielle Bruns bruns at 2mbit.com
Tue Jan 5 20:58:52 UTC 2010

On 1/5/10 1:29 PM, Dobbins, Roland wrote:
> Putting firewalls in front of servers is a Really Bad Idea - besides
> the fact that the stateful inspection premise doesn't apply (see
> above), rendering the stateful firewall superfluous, even the
> biggest, baddest firewalls out there can be easily taken down via
> state-table exhaustion; an attacker can craft enough
> programmatically-generated, well-formed traffic which conforms to the
> firewall policies to 'crowd out' legitimate traffic, thus DoSing the
> server.  Addtionally, the firewall can be made to collapse far
> quicker than the server itself would collapse, as the overhead on the
> state-tracking is less than what the server itself could handle on
> its own.

The trick is to not track ports/IPs that do not need it.  On my combo 
firewalls (that handle both NATing and serving websites, dns, etc) for 
example, I'll do a NOTRACK on the LAN side to prevent connections to the 
firewall itself from taking up valuable table space.

It's all how you configure and tweak the firewall.  Recommending people 
run servers without a firewall is bad advice - do you really want your 
Win2k3 server exposed, SMB, RPC, and all to the world?

Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org

More information about the NANOG mailing list