On Mon, 4 Dec 2000, Dane Balia wrote:
> Hi
>
> I was wondering, and in cheer ignorance would like to know, if ipchains
> has no stateful inspection written into it, why is it supported so much
> and why hasn't it been included?
TCP-based systems keep their own state, and other than some DoS stuff
(which should be tuned on Internet-accessable hosts anyway), there's no a
great deal of value from the filter keeping state. Cisco router filtering
on a normal IOS image isn't stateful either, but it's still the best
first-line of defense.
Adding mechanisms to keep state increase the complexity of the code, and
if current state-keeping commercial firewalls are anything to go by, it's
not easy to get right.
Since the biggest gain for keeping state is UDP or ICMP, and other than
DNS, there's more likelyhood of people just blocking those where they're
not necessary if they're security-clued, why place a state requirement on
the filtering mechanism? DNS should go to a controlled machine or
two running a local resolver, no reason to allow anything else to talk UDP
if you're really worried about security.
> I've used BSD and other Unix's, and seen the wonders of the likes of:
> IPFW
> IP Filters
> and seen the beauty of stateful inspection. I know this question should be
> directed @ a more Linux orientated list, but I'd like to know why, it come
> so well recommended. So, someone tell me, is there something I'm missing
> ????
Stateful rules are added in the next revision of Linux filtering, which
will replace IPChains. Personally, I'd just add an *BSD box using
IPFilter up front if I thought state was important to filter on, given
that any software should be given some time to stablize prior to
mission-critical security deployments.
I thought I saw some stateful filtering stuff for 2.2 kernels somewhere
too, but it was a while back and I don't know what sort of state the
project was in ;)
For security, blocking a protocol is *always* preferable to passing it
when talking to the Internet at large, so state would only really play a
part in mission-critical protocols that absolutely must be supported and
don't contain any state information themselves. Typically, that's limited
to DNS, which has query IDs and can be limited to say a box running
dnscache for external interaction. Given that, for most sites, I don't
think that state in filtering is all that much of a gain, unless you're
trying to protect buggy stacks, untunable stacks, or protocols that you
really shouldn't be passing if they're that bad. Certianly the value of
state is only incremental when compared with the base value of filtering
in any reasonably paranoid environment.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
