IT Employment

General discussion


Firewalling with LordInfidel

By LordInfidel ·
This is a continuation of my latest thread "DSL and Firewalls".

Every so often, I will be asked a question by a peer or coworker regarding security and firewalling concepts that I would deem "shareable knowledge". That is, I beleive others wouldbe interested in knowing the answer.

Today, I was asked by a co-worker what a Stateful Firewall was. He has heard the term but really did not fully grasp the 'full' concept behind it.

I say 'full' because he understood the state of flags suchas syn-syn/ack-ack. But that was his limit to his understanding.

So I thought I would share my answer to him here with you.

It is my hope that if you have had a yearning to know this answer or have been generally clueless about firewalling and the concept, that this helps you.

If you have a question, please feel free to ask.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

What is state?

by LordInfidel In reply to Firewalling with LordInfi ...

First, What is State.

At the basic level, State (or session state) is the state of communication between 2 systems.

There are 3 parts to session state: The Intial request, the response to the request, and the data transfer.

To break the communication down;
When you request a web page, your system starts up a connection with a remote web server on port 80. Since this is a new session, your system generates a tcp request from a local port greater then 1023 to the remote tcp port 80

This first packet is called the "Syn" request.
(SYN=Connection Synchronization Request)

The SYN packet is what says, "Hey I want to talk to you, are you available"

The remote system get's your SYN packet on tcp 80 from your local port of lets say tcp 1503. Since there is a anonymous web server configured on that port, the web server will send back a response to you.

It does this by sending you a Ack(acknowledgement) to your SYN request, plus it's own Syn request.

This response is called a Syn-Ack. Which essentially answers your question to it, "Yes I am here and willing to talk to you on the local port you specified, here is my info."

Once your machine recieves the syn-ack it then generates another ack and sends it to the server to complete the establishment of the connection.

From this point, the rest of the communication will take place with just the ack flag set. The syn flag, during the established session, will not be present. However other flags might show up during the conversation such as RST (reset).

Next let's look at the state of the session and compare it to firewall rules.

Collapse -

Rules and State

by LordInfidel In reply to What is state?

We now know that the first packet sent has the SYN flag set. We can effectively filter connections based on that.

Assuming that your network has no netwk services on it. We can say that you do not want anyone from the net to initiate a conversation with a host behind your firewall.

To do this we filter the connections based on the state of the connection. Since the first packet will have the SYN flag set, we can say "Any new connections from the net, drop".

Well does this now stop all traffic from the net. No and why? Because at this point it would be possible to send invalid requests to the fwl.

An invalid request would be if I generate packets from my port 80 with just the ack flag set. If your firewall is configured incorrectly it would be allowed thru.

So your next rule needs to be "any invalid connections from the net drop"

These rules should be first in your chain.

Now this is where session state rears it's head.

(assuming dns is already configuredand allowed)
Let's say you want your hosts to be able to surf the net. You would add a rule that says "from the lan on ports above 1023 to the net on port 80 allow new connections"

You would also say "from the lan on ports above 1023 to the neton port 80 allow established connections"

And "from the net on port 80 to the lan above port 1023 allow established connections"

Now when your system starts up a session with a web server, the fwl will know the state of the connection and willallow the sessions thru.

Collapse -

Closing Statements

by LordInfidel In reply to Rules and State

To confuse issues more. There are different techniques out there for the firewall to do this.
The first method that I described above is all well and good except for the ability of hackers
to replay connections.

So to combat this, you should look for a fwl that does dynamic filtering. Where not only will it
keep track of state, but also the state of the ports.

So if your host starts up a session from it's port 1343 to dest port 80. The firewall will know
to look for a syn-ack from 80 to 1343. And vice-versa.

The dynamic firewall will make a temporary rule for this connection.

Let's say the connection is closed and the temp rule is removed. If a hacker tried to replay
that connection and send a ack from 80 to 1343, thefwl will drop it because it is not a valid
established connection.

These are things that you should keep in mind when looking for a firewall.

Ask the vendor, how does it keep session state. If it does not keep session state dynamically, thenyou will have to look long and hard at the viability of it.

Alot of problems that home networks have with the lower end firewalls has to do with session state and improperly configured rule sets.

Remember though, a properly configured stateless firewall does no good when it is sent invalid requests.

Something to think about.

Collapse -

Some good breakfast food for thought....

by Jellimonsta In reply to Closing Statements

... and to think I usually just eat cereal. :-)

Collapse -

ftp port...

by tyya44 In reply to What is state?

infidel i must say this is a very interesting topic but before i carry on reading i thought ftp is port 21 and http is 80.could u throw more light on that please

Collapse -


by LordInfidel In reply to ftp port...

To begin, there are 2 types of ports.

Priviliged and unpriviliged.

Priviliged ports are those ports used exclusivley by services and live under 1023.

Such as HTTP (tcp 80)

UnPriviliged ports are between 1023-65335. (this is also called ephemeral ports)

When your client machine wants to make a connection to a remote web site, it get's a port from the ephemeral range and sends a syn packet to the remote servers port 80.

Your port then is called the source port. And the remote servers port is called the destination port. Once the syn/syn-ack/ack has taken place, then the 2 systems can talk to each other.

In 99% of all client requests, your source port will be grabbed from the ephemeral port range.

FTP on the other hand is different.

It requires 2 ports for communication. A data port 20, and a control port 21.

So what happens is, when you start up a ftp session, you will grab a port from the ephermeral range and contact the server on tcp 21. Once that isestablished, the server will try to contact you on "YOUR" tcp 20, coming from "THEIR" ephemeral range.

Well this does not bode very well for stateless firewalls or firewalls not doing connection tracking. Because they will not allow connections from a remote conncetions ephemeral range to a priviliged port. And this will break the connection.

Which is where passive ftp comes into play. Passive FTP allows the client to also specify the data port in the client side ephemeral range.

Collapse -

LI thanks for the info...

by admin In reply to Firewalling with LordInfi ...

but I didn't actually set the one dsk wonder up. I was looking for something easy at home and just purchased a webramp 700's that does stateful inspection and nat2nat, amoung other things (remember this conversation :) and it only costs 34.00. they were like 16.00 unboxed, but they sold out in a hurry. Anyway... it's more expensive than a floppy, but for 34.00, shipping and quick set-up it might be another good solution (or maybe not)

Anyway, plug webramp into the search at if you are interested in a cheap small stateful inspection bit o hardware. They of course are only 5 user (without the mod chips on e-bay) but they also sell a legit version with more users for a bit more.

It's just another path to get mo-betta firewalls out there for more users.


Collapse -

Their site said 479 retail

by LordInfidel In reply to LI thanks for the info...

Did you find it on ebay?

I looked at their data sheet and it's ok I guess.
It just reminds me of every other type of dsl router out there.

What I liked about BBIagent is that it is based on the linux 2.4 kernel. Fit's on a floppy. Is free, and will run on virtually anything.

Plus they are working on VPN support which is way cool.

Like now if I need to connect 2 networks together across the net, (wearing my consultant hat), I have to create a linux box, (usuallly bsd with IP Tables), and add FreeSwan to it to make a secure VPN.

That set-up isn't exactly time friendly or cost effective for me or the client.

But if I could deploy 2 BBIagent router/firewalls in less then half the time and take off a couple of hours then every one is happy.

I still have been unable to exploit it.

The only bad thing is that I can't SSH into it because it does not support it nor does it accept connections to itself. Which I guess is also a good thing. You can't remotely manage itwhich also cut's off that ability to the would be attacker.

The thing I don't like about the hardware based solutions is that you can theoretically tftp a file to it and bring it down.

I know the linksys dsl routers, no matter what password you assign to it, when you tftp an update to it. It will only accept the default password, which is posted on their website. Not very secure in my small book.

Collapse -

DuDe! My Bad! here is the correct link

by admin In reply to Their site said 479 retai ...

Yeah.... the centrix site was WRONG!

Anyway... I still like your solution and may try it. The Linksys DSL routers aren't a great comparison to the rebranded SOHO I didn't think.... but I could be missing something.

BBlagent looks way cool. Haven't run it but did look at it. There would be, as you mentioned, business drawbacks, but it looks above and beyond for what i need at home. :)

Collapse -

You may want to know this

by LordInfidel In reply to DuDe! My Bad! here is th ...

Remember what I said about the linksys and the password not being able to be changed.

Webramp is the same way.

SecFocus has a exploit about it. The default u/p can not be changed and is publicly available on webramps site.

This goes against all known security practices.

Let's say you limit the machine to only accept connections from the internal lan.

And I as a attacker I decide I want to bring your network down. I would simply send a probe thru your network to find a port thatone of your machines is listening on, shovel a shell to it, launch tftp, use the known u/p, and upload a bogus image. Boom, I know either have control of your netwk or I have just brought your netwk down and made your device inusable.

Related Discussions

Related Forums