At 19:17 07/08/00 +0800, Ronneil Camara wrote: >Btw, what additional feature do we gain when using stateful packet >inspection compared with conventional packet filtering? Can you please >itemize the answer. I guess this is a general qestion and not a question for "ipfilter" in particular (note that "ipfilter" is the name of a product. That's misleading, but heh,...). First of all, convential is hard to define, as things that were convential some years ago may have left the plae for new ones... - For traffic relayed through proxies, stateful filtering doesn't add anything. You are then even more stateful than any filter. The only way a filter could compete (for statefullness) with a proxy is if it fully emulates a TCP stack, but this is never does since performance will suffer. - When a proxy is not used then stateful filters add some functionality. They keep information on the connections and will then be able to decide whether a packet is accepted or not based on previous packets. For example, suppose you hae a UDP based application using port 666, adn that you want to allow outgoing connections and reject incoming ones except responses to yours. With a stateless filter, you'd need to open the door for all incoming UDP packets coming from port 666. and these may be responses to your packets or not. With a stateful filter, when a packet is sent from nside to outside, the port 666, the packet "remembers" it, sets some timeout to specify the aount of time a response will be waited for, and when the response comes back, it is accepted. Otherwise, other packets are rejected. The thing is that with a stateful filter, a dynamic rule is added wich is precise enough to specify the source host of the response and its destination host and port. While there is no way to dynamically add rules on "traditional" filter. - In the case of TCP, "traditionnal" filters may implement the "established" flag filtering. This may suffice, if your internal hosts have a sane TCP/IP stack. Many people find it unsufficient (but many people do have internal hosts running windows stack and the last years have shown a tendency of these systems to badly react to some traffic :-P). hope this helps. >Thanks a lot. > >Add on: If I'll be using openbsd, what stateful packet inspection tool can I >use? IP Filter is a good choice, in my opinion. check openBSD site/docs for more infos. There are also some articles at http://www.freebsddiary.org/topics.php3#ipfilter. cheers, mouss - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
