Firewall Wizards mailing list archives
Re: TCP buffers in firewalls
From: Bret Watson <lists () bwa net>
Date: Fri, 12 Dec 1997 09:56:09
Question: Would a high volume of current TCP sessions and a high volume of unserved TCP requests affect state-based packet filters and proxy services differently? If a webserver behind a firewall was able to hold a greater number of sessions than the firewall, I would think this is a TCP stack issue, not an issue with the way a proxy handles sessions vs. a filter. I'm still not sure if a finger should be pointed at a slow database for locking up the firewall, or at the firewall for locking up because of unreleased/unserved TCP sessions.
Bill, IMHO, I would think the finger should be pointed at the firewall's TCP stack - it should be able to support a large number of pending connections, after all the web server could. But that reasoning is a bit simplified. I don't think a caching proxy would help significantly as the delay is not in the network bandwidth, but the db lag. I find cache proxies questionable to say the least anyway, its just an extra part to fail - but the cache is really there to 'speed' up http access from within an org, not (presumably) uniquely identified banner references. I suspect on a app proxy firewall, the unserved requests would not cause a lock-up. On a statful inspection firewall, the rule set would be created per connection, as the TCP request to the webserver is actually a TCP connection to the firewall, there would be a rule created. Sooner or later (esp if the db is loosing ground against the requests) the rule-base is going to consume all its allocated resources. On an application proxy, the firewall is effectively the webserver, and the access rule is fixed, therefore the only resources being used would be buffers for the TCP connection - it should be able to handle the load. Hope this is useful. Cheers, Bret Technical Incursion Countermeasures Providing the means for your company's self-defense consulting () ticm com http://www.ticm.com/ ph: (+61)(08) 9429 8898(UTC+8 hrs) fax: (+61)(08) 9429 8800
Current thread:
- TCP buffers in firewalls Stout, William (Dec 11)
- <Possible follow-ups>
- Re: TCP buffers in firewalls chuck yerkes (Dec 11)
- Re: TCP buffers in firewalls benecke (Dec 12)
- Re: TCP buffers in firewalls chuck yerkes (Dec 12)
- Re: TCP buffers in firewalls benecke (Dec 12)
- Re: TCP buffers in firewalls Bret Watson (Dec 12)
- RE: TCP buffers in firewalls Stout, William (Dec 12)
- Re: TCP buffers in firewalls Travis Low (Dec 12)
- RE: TCP buffers in firewalls Stout, William (Dec 15)