I don't need no stinking firewall!

Simon Lockhart simon at slimey.org
Tue Jan 5 20:39:06 UTC 2010

On Tue Jan 05, 2010 at 02:16:58PM -0600, Brian Johnson wrote:
> I have my own idea of what a firewall is and what it does. I also
> understand what statefull packet inspection is and what it does. Given
> this information, and not prejudging any responses, exactly what is a
> firewall for and when is statefull inspection useful?

Not sure I'd call myself a security guru, but...

I'm not a great fan of packet filtering firewalls (as opposed to proxy based
or application layer firewalls).

Generally, I just use stateless ACLs when I need additional network level
security. However, they do have one big disadvantage. Say you've got a server
where you want to allow outbound HTTP access to anywhere on the Internet, but
only SSH inbound from your home DSL. To do this, you'd build an inbound ACL
which looks something like:

  - Allow from home DSL IP to server port 22
  - Allow from anywhere port 80 to server
  - Deny all other traffic.

You need the port 80 rule to allow the return traffic from all those outbound

However, an enterprising hacker realises that he can create a TCP connection
from port 80 on his own box to port 22 on your server.

Now, if you change from stateless to stateful ACLs, you add the intelligence
that whenever it sees an connection originating from your server to port 80
on the internet, it automatically adds a rule that allows traffic back from
the server you're talking to, but not anywhere else. Therefore, your 
enterprising hacker can no longer connect in.

Of course, the other benefit that a stateful inspection firewall can do is 
pattern matching on undesirable traffic based on signatures

Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
   Director    |    * Domain & Web Hosting * Internet Consultancy * 
  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  * 

More information about the NANOG mailing list