I'm looking over the ipfw rules for our webserver and it struck me that we use check/keep-state on all outgoing traffic. We only have a handful ports open in both directions. We dont have much outgoing traffic, and 99% of it is on port 80 (PHP/CURL for example). There could be a potential risk of filling up the state table, so i'm thinking maybe its unnecessary to use keep-state at all. We dont use it on ingoing (for obvious reasons). What in general is the purpose of using out keep-state?
答案1
Outgoing keep-state opens the ports dynamically for replies to outgoing traffic. These reply packets could come back on any port so keep-state reduces the exposure while opening the random ports used from the external service allowing the reply packets back in. In special cases a server could run without keep-state, no externally bound traffic, but in practice most systems use external services. A multi-tiered system could be setup to reply on specific ports but the default configuration for most general use services is; known port inbound - random port outbound. DNS, outbound email, remote logging, ping, load balance or watchdog heartbeats, pager/cell phone notifications, some or all are common outbound traffic on servers that "don't have outbound traffic".