[ILUG] Firewall Overhead.
plop at redbrick.dcu.ie
Mon Jun 26 15:58:03 IST 2000
In reply to Paul Jakma's flatulent wordings,
> On Mon, 26 Jun 2000, Smelly Pooh wrote:
> > Optimise the OS for the task at hand, Linux isn't known for being the best
> > packet filter platform around,
> why do you say this?
To get a rise out of you paul
> > will the 2.4.x kernels even be capable of
> > maintaining state?
> eh? EXPN please...
Keep state information about IP connections, instead of statically maintaining
rules based solely on information in the IP packet itself you can say have a
rule to allow all outgoing connections with state kept, but block all incoming
connections. That's 2 rules you need for any firewall that doesn't provide a
service (such as a firewall for a home machine), and not much more if you do
I know Linux up to ipchains (and every other firewall package) can read
such information from tcp headers, because tcp headers are the only
headers that encode state information in the header itself (in the form of
SYN,ACK,FIN and RST flags). The problem with this is that people can hand
make packets to get around your firewall, such as nmap FIN scanning, which
doesn't happen with stateful firewalls that can tell if the FIN is part
of an existing session. State keeping also works for non TCP protocols such
as UDP or ICMP. For example, if you want to be able to make nslookups from
your internal network, you'll probably end up having to make an outgoing udp
connection to port 53 of an external DNS server from an arbitrary port. With
a non-state firewall you'll have a rule to allow all udp from port 53 to any
to get around this (or alternatively have an internal DNS server that only
queries from a predefined port, but lets not make up excuses for firewall
shortcomings). Obviously with a rule like that, anybody can connect to any of
your udp services simply by setting their source port to 53. Yet again with a
stateful firewall you only need to allow all outgoing keep state, block all
incoming rules, and incoming UDP packets from port 53 will only be allowed if
it's part of an existing connection.
The 2 free firewall packages I know of that keep state are ipfw (for FreeBSD)
and ipfilter (which is surprisingly portable for a packet filter, runs on
*BSD, solaris, irix, hpux and even Linux, although from what I hear the Linux
version only works with older kernels). Commercial packages like Firewall-1
also keep state.
More information about the ILUG