> -----Original Message-----
> From: Jon Earle [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 13 April 2000 11:18 PM
> To: Ben Nagy
> Cc: [EMAIL PROTECTED]
> Subject: RE: Packet Filtering vs. Proxy
>
>
> At 05:44 PM 4/13/00 +0930, you wrote:
>
> >Strictly speaking, a stateful packet filter only keeps state
> (duh). This
> >means that an SPF is supposed to know everything about the
> TCP/IP rules
> >for the flow of data between the internal and external hosts.
>
> What then, is "state"? By your message, I don't see the
> difference between
> this and a "normal" packet filter.
>
> Jon
Oh, OK. State is thing like sequence numbers, all four src / dest ports [1],
window sizes etc. State also has a formal meaning to do with the mode or
gear or whatever you want to call it that the TCP stack is currently working
in - SYN-SENT, TIME-WAIT etc etc. SPFs should also be able to block packets
with flag combinations that aren't allowable for the current state of the
TCP session - if you're not in SYN-SENT you shouldn't be getting a SYN-ACK
packet back etc.
The short version is that there are a lot of rules that things should
follow. SPFs are supposed to know about these - port numbers are just the
surface. I refer you to RFC 793 (from memory) for TCP...you probably also
want to read the UDP and IP RFCs. They're a tough slog though - offhand I
don't know of any primer level stuff (sorry) so just do a webgrep.
Does that make sense?
Cheers,
[1] Most "normal" packet filters only lock down the local destination port.
Some will restrict the remote source port to within a range (eg >1023). SPFs
can (once a conversation has started) restrict local src/dest and remote
src/dest to specific values making it harder for Bad People to inject
traffic.
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
