A little background first:
What a firewall uses is a State Table to keep track of connections when they are made and to allow the return packets to get to the client. If you have two simple rules:
AnyThingInternal TO AnythingExternal ACCEPT
anything TO Anywhere DENY
This you would think would allow you to have your internal pc's connect to the outside but not allow the outside connect to the inside. Right?
Well without state tables it's wrong.
The original session creation packets go out fine and then the data from the remote server comes back. But when the remote data packet comes to the FW the FW would apply its rules base and match it to rule 2. Guess what? It's denied!
The way it is really done is through state tables.
When you send a packet out it is part of a session, the FW keeps track of that session through the state table so that when the reply packets come back in the FW know that it is from a connection 'requested' from internal which is allowed by the first rule so the FW passes it through even though it is a packet 'from somewhere destined for anywhere' (rule2).
UDP packets are not a problem outbound but inbound you should not allow them unless you have a good reason to. This applies to TCP, GRE any packet that you allow in through the firewall.
You can learn more by reading up on the Syn-Ack-Fin sequencing in TCP/IP and also the difference between connection oriented (tcp) and connectionless transmissions (UDP). Try Stevens-TCP/IP Illustrated, VOL 1
I would recommend this book for just about anything TCP/IP related.
>some protocols like FTP which use more than one data stream
>present problems for a router based firewalls.
Remember that FTP negotiates a session on 21 but then uses a dynamically assigned port above 1024. so the router would have to know that port 1025 is the data session for the ftp connection that was just negotiated. Ports are just placeholders for the two ends of a communications to keep things straight. You can run FTP on any port that you want. So since a screening router is looking for FTP on port 21 and not allowing any other ports, when you get to the data transfer portion of your ftp session the router would throw it away since it only allows port 21 and no others even though it is part of an FTP session.
I hope this helps a little.
Mike
-----Original Message-----
From: Sudipto basu [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 22, 2001 11:33 AM
To: [EMAIL PROTECTED]
Subject: Router packet filtering
I think my earlier question was not clear to some. So
let me refine it.
I mean to say without any s/w support a filtering
technique at router level can not filter those
packets.
Is it right. If yes then why.
I have a book which reads like.
"A router alone cannot fully control a stream of IP
packets, as it can not monitor the state of the state
of incoming and out going packets, so a some protocols
like FTp which which use more than one data stream
present problems for a router based firewalls.
Things get worse when you use a connection less
protocol like UDP,
which forms the basis of DNS. In order to control UDP
streams in a firewall, you need to add some form of
state monitoring to a packet filter"
I think my question is some waht clear now.
Sudipto basu
[EMAIL PROTECTED]
=====
The most I can do for my friend is.
Simply to be his friend.
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
