This is a discussion on Re: [fw-wiz] Firewalls that generate new packets.. - Firewalls ; Darden, Patrick S. wrote: > Marcus J. Ranum > ... >> The hard thing I had to wrap my brain around was the >> observation that between a router+ACLs combined >> with the state that is held in the TCP ...
Darden, Patrick S. wrote:
> Marcus J. Ranum
>> The hard thing I had to wrap my brain around was the
>> observation that between a router+ACLs combined
>> with the state that is held in the TCP stack of the
>> target, you've got exactly the same thing (and often
>> quite a bit better!) than a "stateful" firewall.
> I respecfully disagree for all the reasons I have outlined
> before.... Sum: tcp sequence #s make a difference.
So long as you mean "tcp sequence#s" to mean modelling the entire
TCP connection state, yes. The implication that you're missing is that
the TCP window also needs to be tracked (including whether or not
window scaling is being used), along with which flags appeared at
which sequence numbers so you know what to expect next. e.g
the SYN and FIN flags impact sequence numbers without there being
an explicit change in the headers.
If you go to the extreme of only allowing in sequence TCP packets
and ensure that retransmitted data is always the same as the original,
you could argue that the "stateful inspection" mode here becomes a
layer 5 firewall rather than layer 3 or 4. And that's without a proxy
firewall-wizards mailing list