I'm considering getting rid of the connection tracking in my firewall, since it sucks up too many resources, and instead simply allowing all packets except inbound TCP SYN packets.
That should block all incoming TCP connections, but allow everything else in and out.
My question is are there any widespread windows/linux exploits that can still get in through UDP or ICMP etc.? If there are, how prevalent are they?
Risks of no SPI firewall.
This is on a little home router with only 16 meg of ram. The problem is not packet forwarding performance but rather memory use when tracking thousands of connections (think P2P or webserver)mstombs wrote:What is the firewall running on, how do you know it is an issue? Quite small old PCs can handle gigabit routing!
Yep - got myself a static /28 (14 usable public IP addresses) by asking my ISP nicely.mstombs wrote:Do you have a block of static IP addresses? - nat routing requires connection tracking.