On 10/21/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * Tony Sarendal <[EMAIL PROTECTED]> [2007-10-21 14:50]: > > > stateless is poop. > > What will happen when the limit of maximum concurrent states is reached > ? > > Will it stop forwarding new flows ? > > depends on the way you write your ruleset. > if you do nothing, exactly that happens.
An incoming packet is either dropped or not, I don't see how the router can do nothing. Besides that, the environment I am looking at is as an edge/peering router. Basic filtering to protect infrastructure and where possible prevent spoofing, I do not consider such an environment a suitable place for a statelful device as they normally change behaviour when the limit of states is exceeded. A router that has a major performance drop when a certain limit of flows is reached is something I normally stay away from, a router that stops forwarding of new flows when a flow limit is reached is worse. That is my reasoning for using stateless filters in my case. If OpenBSD/pf has a solution that solves these stateful limitations I would be very interested in understanding it. /Tony
