[121030] in North American Network Operators' Group
RE: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Joel Snyder)
Fri Jan 8 10:22:40 2010
Date: Fri, 08 Jan 2010 08:21:52 -0700
From: Joel Snyder <Joel.Snyder@Opus1.COM>
In-reply-to: <mailman.1.1262952002.86641.nanog@nanog.org>
To: nanog@nanog.org
Cc: jay@Impulse.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> On Thu Jan 07, 2010 at 01:04:01PM -0800, Jay Hennigan <jay@west.net> wrote:
>
>>> Or better:
>>> - Allow from anywhere port 80 to server port > 1023 established
>> Adding "established" brings us back to stateful firewall!
>
> Not really. It only looks to see if the ACK or RST bits are set. This
> is different from a stateful firewall which memorizes each outbound
> packet and checks the return for a match source/destination/sequence.
Actually, most firewalls don't check TCP sequence numbers. You are
totally correct in that stateless packet filters with "established" are
only looking for TCP bits, but the main difference that stateful
firewalls add is watching the TCP state machine. Sequence number
watching is a bonus, something you can enable on some firewalls, but
most of the common ones don't do it by default.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One Phone: +1 520 324 0494
jms@Opus1.COM http://www.opus1.com/jms
