I don't need no stinking firewall!

Brandon M. Lapointe brandon at shrader.net
Wed Jan 6 17:18:55 UTC 2010

-----Original Message-----
From: David Hiers [mailto:hiersd at gmail.com] 
Sent: Wednesday, January 06, 2010 10:50 AM
To: Brian Johnson
Cc: nanog at nanog.org
Subject: Re: I don't need no stinking firewall!

>Poking the dragon a bit, aren't you?  Fun.

>If you really look at it, there is no quantitative difference between
>statefull and non-statefull.  A non-stateful firewall can prevent a
>TCP session from entering the SYN_RECEIVED state by blocking the SYN
>packet, so it strongly impacts session state without really trying.  A
>statefull firewall will venture a bit deeper into the state diagram
>with a few more rules, but this is mostly a quantitative difference
>when viewed at a behavioral level -snip-



As mentioned before, the line has substantially blurred with what current devices (routers/load balancers) can do in hardware.

Brandon L.

On Tue, Jan 5, 2010 at 12:16 PM, Brian Johnson <bjohnson at drtel.com> wrote:
> Security Gurus, et al,
> I have my own idea of what a firewall is and what it does. I also
> understand what statefull packet inspection is and what it does. Given
> this information, and not prejudging any responses, exactly what is a
> firewall for and when is statefull inspection useful?
> Please respond on-list as I want to have some useful discourse and
> discussion in the clear. Flamers and Trolls will be disregarded. :)
> Thank you.
>  - Brian
>  CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the
> intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,
> copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original message. Thank you.

More information about the NANOG mailing list