I'm curious as to what makes a firewall stateless. I've heard that iptables is stateless and just acts as a filter. That's what I use on my Linux machine. Why is it considered stateless? Isn't jumping to a new chain similar to changing states?
iptables, stateless firewalls
- Thread starter Yohhan
- Start date
iptables can be stateful. ipchains was stateless.
States are basically the firewall software paying attention to what authorized traffic has already been let through. TCP is a connection oriented protocol. The two ends of the connection negotiate that connection (TCP handshake). Until that connection is reset (RST), finished (FIN), or times out it is in a "connected state." As well as the TCP flags, a stateful firewall tracks syncronization numbers in the packets.
Stateless firewalls don't pay attention to the flags at all. They see a connection going to port 80 on your webserver and pass it and the response. Stateful firewalls see the connection to your webserver on port 80, pass it, setup a state, and allow a response. Stateless firewalls wouldn't be able to stop your webserver from connecting somewhere else using port 80 as the source port. Stateful firewalls see a packet coming from port 80 and know that no one initiated a connection and can block it.
The syncronization numbers are important to try and keep spoofing down to a minimum.
States are basically the firewall software paying attention to what authorized traffic has already been let through. TCP is a connection oriented protocol. The two ends of the connection negotiate that connection (TCP handshake). Until that connection is reset (RST), finished (FIN), or times out it is in a "connected state." As well as the TCP flags, a stateful firewall tracks syncronization numbers in the packets.
Stateless firewalls don't pay attention to the flags at all. They see a connection going to port 80 on your webserver and pass it and the response. Stateful firewalls see the connection to your webserver on port 80, pass it, setup a state, and allow a response. Stateless firewalls wouldn't be able to stop your webserver from connecting somewhere else using port 80 as the source port. Stateful firewalls see a packet coming from port 80 and know that no one initiated a connection and can block it.
The syncronization numbers are important to try and keep spoofing down to a minimum.
awesome explanation and dead on. Stateful can even go beyond that as well and make sure the funny protocols (like FTP, H.323, oracle, etc) work properly and the incoming connections needed and requested by the client are allowed in.
Thanks. Except I should have said sequence numbers instead of syncronization numbers, although I don't know how much difference it would really make.
Is that really just a feature of stateful firewalls? I'd think that a stateless firewall could look at the protocol in use and block/allow based on that. I have *very* little experience with stateless firewalls though.
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
I believe it would need to be statefull to keep track of which new connections belong to which original connection. For instance, when a NAT'd FTP client sends a PORT x.x.x.x.y command the NAT device should replace x.x.x.x with it's IP and y with an available port so the command can have a chance of working. Then it would wait for a connection on port y to forward back to the client on whatever port was originally in the PORT packet. It could probably work without any state information, but the chance of spoofing and getting traffic to unintended hosts would be much higher, infact I believe ipchains supported this example even though it's state tracking was so limited.
Keeping track of connections is typically done using the sequence numbers, ip addresses, and ports. Maybe I'm not understanding your example though.
Originally posted by: n0cmonkey
Keeping track of connections is typically done using the sequence numbers, ip addresses, and ports. Maybe I'm not understanding your example though.
the "funny" protocols request inbound connections or negotiate new port/sequence numbers in the application layer. Stateful keeps track of the "state" of these connections.
<---remembers doing state diagrams at purdue. always loads of fun.
Originally posted by: spidey07
Originally posted by: n0cmonkey
Keeping track of connections is typically done using the sequence numbers, ip addresses, and ports. Maybe I'm not understanding your example though.
the "funny" protocols request inbound connections or negotiate new port/sequence numbers in the application layer. Stateful keeps track of the "state" of these connections.
<---remembers doing state diagrams at purdue. always loads of fun.
Ok, so basically the client tells the server "contact me here" and gives an ip address and port number, so the server can initiate the handshake?
Originally posted by: n0cmonkey
Originally posted by: spidey07
Originally posted by: n0cmonkey
Keeping track of connections is typically done using the sequence numbers, ip addresses, and ports. Maybe I'm not understanding your example though.
the "funny" protocols request inbound connections or negotiate new port/sequence numbers in the application layer. Stateful keeps track of the "state" of these connections.
<---remembers doing state diagrams at purdue. always loads of fun.
Ok, so basically the client tells the server "contact me here" and gives an ip address and port number, so the server can initiate the handshake?
yes, and that IP/PORT info is contained in te application layer., instant messengers, andfile sharing proggies are another example
Ok, now that all makes sense. Before it made varying degrees of sense depending on how it was explained to me, now I'm fairly confident I understand.
Originally posted by: n0cmonkey
Ok, now that all makes sense. Before it made varying degrees of sense depending on how it was explained to me, now I'm fairly confident I understand.
if you look at packet decodes of the "funny" protocols you can see the negotiation taking place in the app layer and the subsequent "inbound" connections being established.
All good stuff.
In short:
Stateless ~~ Only looks at IP addresses and network level packets.
Statefull ~~ Also looks at application level usage.
In short:
Stateless ~~ Only looks at IP addresses and network level packets.
Statefull ~~ Also looks at application level usage.
Originally posted by: spidey07
Originally posted by: n0cmonkey
Ok, now that all makes sense. Before it made varying degrees of sense depending on how it was explained to me, now I'm fairly confident I understand.
if you look at packet decodes of the "funny" protocols you can see the negotiation taking place in the app layer and the subsequent "inbound" connections being established.
Not all stateful firewalls look at this stuff though...
I guess the thought is that other things are there to handle that part of the protocol. I don't know really. passive ftp works fine for me.
Nothinman
Elite Member
- Sep 14, 2001
- 30,672
- 0
- 0
And that's what PASV mode was created for, but most other protocols don't have a passive transfer mode. To properly support them without messing with the payload would require an application level proxy that understands the protocol and that's not always desirable.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter