From owner-freebsd-questions Thu Aug 16 14: 9: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.121.50]) by hub.freebsd.org (Postfix) with ESMTP id B32FF37B403 for ; Thu, 16 Aug 2001 14:09:05 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.244.107.155.Dial1.SanJose1.Level3.net [209.244.107.155]) by avocet.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id OAA12714; Thu, 16 Aug 2001 14:09:03 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7GL90K06344; Thu, 16 Aug 2001 14:09:00 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 14:09:00 -0700 From: "Crist J. Clark" To: Dennis Jun Cc: freebsd-questions@FreeBSD.ORG Subject: Re: How do stateful firewalls help increase security? Message-ID: <20010816140900.H4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010816195750.15814.qmail@web11608.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010816195750.15814.qmail@web11608.mail.yahoo.com>; from dennisjun@yahoo.com on Thu, Aug 16, 2001 at 12:57:50PM -0700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Aug 16, 2001 at 12:57:50PM -0700, Dennis Jun wrote: > A friend of mine asked me this today Huh, wha? Asked you what? Oh, the subject line? "How do stateful firewalls help increase security?" (The body of an email message should be self-contained.) > and I coudln't > give him a definite answer, even though I use stateful > firewalls. I was wondering if any gurus could enlighten > me. Thanx. The other option is a stateless packet filter. Stateless packet filters are much, much better than nothing, but they do have weaknesses. For TCP, you can prevent incoming connections from the outside world by blocking bare SYN-segments. This is the big plus of a stateless filter. However, you are wide open to a wide variety of scanning techniques like a simple ACK-scan. Anyone can map your internal network. Anyone can send anything onto your network _except_ bare SYN-segments. This can be troublesome. (Of course, you can cut off all TCP, but why not just pull the plug?) For UDP, you can cut which ports can come into the network. However, for protocols which use a ephemeral UDP port, you're in trouble since you need to open up the whole range for incoming UDP. There are other issues with ICMP and other protocols, but they are generally not as important. Often "stateful" firewalls only act as stateless filters for non-TCP or UDP packets (better ones do state on ICMP too). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message