Vulnerability Development mailing list archives

Re: Automatic antispoofing rules on access servers.

From: Ben Galehouse <bgalehou () PACBELL NET>
Date: Wed, 20 Sep 2000 09:22:33 -0700

Leon Rosenstein wrote:


I have used Sonicwalls before and I believe (note the word believe I don't
know for concrete fact) that they work like this; the Sonicwall caches all
outbound connections and then matches them up with returning inbound
connections.  If it does not have the originating connection cached it will
drop the inbound connection (this is how it protects against spoofing).
This sets up a very annoying sequence when the return connection (the
inbound one) does not "match up" to where (portwise) the Sonicwall thinks it
should be.  I found this particularly annoying with liveupdate from Symantec
(among others).  The firewall would cache the connection, expect it to come
back on a certain port number and when it would comeback on a different one
it would just drop it.  I am not sure but I believe this how stateful packet
inspection works.  Please correct me (in public or private) if I am wrong
cause there is a good chance I am.


First of all, a small nit. Classic netnews and email list ettiquite
expects two things when quoting.  One, clearly mark attributions and
indicate quoted material as such, with some form of attribution.  Two,
do not blindly copy entire messages when you respond.  Insert your
responses after the section that you are responding to and delete less
relevant sections.  You are quoting for context, to jog the memory.  If
somebody wants to see the entire original, they can go check the
archives.  I don't generally comment on Two, but One is really
potentially misleading.

Back on topic.  Statefull packet inspection is a you describe.  I
believe that Sonic walls also do NAT by default, which can be seen as an
extention of statefully packet inspection.  Statefull inspection, is
not, however, the same as anti-spoofing.  Statefull packet inspection
lets you drop packets that aren't part of a TCP connection.  This makes
it possible to stop things like incoming connections and x-mas tree
scans.  This behaviour is totally independent of the validity of the
return address.

Current thread:

Re: Automatic antispoofing rules on access servers. LOS Ralph (Sep 19)
- Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 19)
  - Re: Automatic antispoofing rules on access servers. Crist Clark (Sep 20)
- <Possible follow-ups>
- Re: Automatic antispoofing rules on access servers. Jeffrey Karpenko (Sep 20)
- Re: Automatic antispoofing rules on access servers. Leon Rosenstein (Sep 20)
  - Re: Automatic antispoofing rules on access servers. Ben Galehouse (Sep 20)