nanog mailing list archives
RE: I don't need no stinking firewall!
From: Joel Snyder <Joel.Snyder () Opus1 COM>
Date: Fri, 08 Jan 2010 08:21:52 -0700
On Thu Jan 07, 2010 at 01:04:01PM -0800, Jay Hennigan <jay () west net> wrote:Or better: - Allow from anywhere port 80 to server port > 1023 establishedAdding "established" brings us back to stateful firewall!Not really. It only looks to see if the ACK or RST bits are set. This is different from a stateful firewall which memorizes each outbound packet and checks the return for a match source/destination/sequence.
Actually, most firewalls don't check TCP sequence numbers. You are totally correct in that stateless packet filters with "established" are only looking for TCP bits, but the main difference that stateful firewalls add is watching the TCP state machine. Sequence number watching is a bonus, something you can enable on some firewalls, but most of the common ones don't do it by default.
jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms () Opus1 COM http://www.opus1.com/jms
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Sean Donelan (Jan 05)
- Re: I don't need no stinking firewall! Kenny Sallee (Jan 05)
- Re: I don't need no stinking firewall! Mark Smith (Jan 05)
- Re: I don't need no stinking firewall! James Hess (Jan 05)
- Re: I don't need no stinking firewall! Rich Kulawiec (Jan 05)
- Re: I don't need no stinking firewall! William Herrin (Jan 05)
- Re: I don't need no stinking firewall! Jorge Amodio (Jan 05)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brandon M. Lapointe (Jan 06)
- RE: I don't need no stinking firewall! gb10hkzo-nanog (Jan 06)
- RE: I don't need no stinking firewall! Joel Snyder (Jan 08)