> -----Original Message-----
> From: Bernd Eckenfels [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 28 July 2000 4:38 PM
> To: Chris Brenton
> Cc: Patrick Darden; Ben Nagy; [EMAIL PROTECTED]
> Subject: Re: cisco Established keyword
>
>
> On Wed, Jul 26, 2000 at 03:27:31PM -0400, Chris Brenton wrote:
> > Patrick Darden wrote:
> > >
> > > Ben, we disagree on our definition of stateful. RACLs do
> not store
> > > session information (e.g. tcp sequence numbers),
> >
> > If this was true than most stateful packet filters would
> not be. Just
> > did a dump on FW-1 & iptables, don't see sequence numbers stored in
> > either.
>
> How can Fw1 reconstruct texts over IP Boundaries if they dont
> keep track of
> the Sequence number? Does this mean that the statefull
> inspection is not
> only limited by goofy inspection scripts (asume the PORT
> command at the
> start of the IP PAcket) but also by the Architecture of the Firewall?
(Disclaimer: I don't know jack about FW-1)
Good question. You've got to think about what's actually happening when a
firewall inspects the contents of packets....
First of all, you have some sort of filter that tells you if there is an
existing hole in the state table to even allow the packet to be considered
for processing by the firewall. This does not have to have sequence numbers
- it's just a thing saying "Yes, there is a conversation happening between
ftp.cisco.com and 10.1.1.2". It can be stateful, static or even completely
open.
This front-line filter is normally implemented in kernel-space although for
NT boxen it seems that normal practice is to write a modified "protocol"
(NDIS wrapper thingy) or modified "NIC" (much the same effect).
Assuming that the packets make it past the first post, the _data_ in those
packets gets handed off to userspace for further inspection. For this to
happen, the FW TCP/IP stack needs to do all the normal TCP/IP stack things -
reassembly, retransmission, reordering blah blah blah. Obviously the
sequence numbers are used at this point.
Now, the inspection engine (or whatever they call it - I'm talking
generically here) gets a crack at the packet - it can dump it if it looks
suspicious, even if it's slipped past the state table in the first instance.
This engine is (normally) a userspace application though - it relies on the
TCP/IP stack delivering it some data to inspect.
If the packet passes muster at the userspace level, the packet gets queued
for re-insertion into the flow and passed on to the end user.
Is that any clearer?
>
> Greetings
> Bernd
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
