One would only use sloppy state tracking on the load balancer, right?

The firewall in front of everything still uses normal tracking?

not necessarily only, but that would be the most common use I bet.

In general, you use it when you cannot avoid it, as in, the other

option is to not filter stateful at all since you don't see all of the
absolutely!
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

sloppy state handling use, follow these two rules:
rule one:
       if you exactly understand how to use sloppy state safely, use it
NO:    otherwise, don't even dream of using it, unless you come from

       an linux ipfilter world, in which case, it is probably as good

       as that
it is that simple. really.
the second basic rule is:
	if the regular 'strict' state handling does not work for you in

	specific situations, you probably already already know the

	problem in enough detail and can use sloppy, for very specific

	situations which you understand in excruciating detail.  if you

	don't understand those situations exactly go back to NO.

On Fri, Jun 20, 2008 at 02:47:18PM -0400, Ted Unangst wrote:

| One would only use sloppy state tracking on the load balancer, right?

| The firewall in front of everything still uses normal tracking?
This is why the router should also be running pf/OpenBSD ;)
Cheers,
Paul 'WEiRD' de Weerd
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]

                 http://www.weirdnet.nl/

Yes, you use sloppy state only on the host(s) seeing half of the trafic.

So to say it even more plainly... anywhere you are forced to deal with

asymetric routing you can use sloppy state in place of not having any

stateful option. Would that be a fair statement?
--

Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG

dwchandler@stilyagin.com   |  http://phxbug.org/      |  http://metabug.org/

http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

It's a fair statement if by 'forced' you mean, 'compelled beyond your

control, with no other options, having fully understood the consequences

and informed all relevant parties of the risks involved'.  This

"feature" is NOT a substitute for good network design.
sloppy state performs basically NO security checks on the TCP stream;

more importantly the TCP state tracking is extremely loose and it's

trivial for an attacker to spoof creation of "fully-established" TCP

connections, which will not time out for an extremely long time, filling

your state table and blocking legitimate traffic. It's dangerous.

Yes, that is what I meant. Thanks for saying it so much better. :)
--

Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG

dwchandler@stilyagin.com   |  http://phxbug.org/      |  http://metabug.org/

http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation