Quoting Gerhard Sittig (Gerhard.Sittig@gmx.net) on Wed, Feb 28, 2001 at 04:20:54AM +0100:
On Tue, Feb 27, 2001 at 18:03 +0100, Marc Heuse wrote:
(As I understand then IPtables make an improvement in the "memory" when compared with the stateless IPchains. Is this a good reason for skipping IPchains and start IPtables.....?)
you have the option to keep track of connection states. this is an improvement, yes, however not a big one in my opinion
Really? Linux users might not be that aware (yet). I myself only learned about the benefits _because_ I did run a stateful packet filter (most things I stumble upon pass by unnoticed by Linux friends).
Think of all those bloody bastards trying to penetrate your filter by using source ports like 20, 53, 80, and the like.
So what. Use proxies and that doesn't bother you. Thinking of a firewall as packet filtering only is the wrong way to go.
Think of the "symmetric" and "unconditional" rulesets we see here on a regular basis to "let anything out and let anything in" no matter if it's some request or some response. I have yet to see an ipchains ruleset to "let me do anything I want while nobody can get in" ...
I feel it to be a *huge* improvement to have the notion of "let the answer in if and _only_ if I asked _this_ machine before to send me an answer".
And no, the "established" keyword cannot really count as an answer. What's the point in passing packets based on a flag the outside(!) sets? You don't believe in sources you want to protect yourself against in the first place, do you?
Again, waht happens with packets without a SYN flag where there is no connection for them? Yes they can be used for scanning, but if you have a problem beeing scanned, then you have too many exposed systems anyway.
It definitely gives me much more warm fuzzies to have a *very* selective filter in place. Of course it cannot solve all my problems, but it's better than anything I could have done by means of Linux and ipchains. I never would like to go back to stateless filters (read: I *gladly* spend the memory and cpu cycles on the functionality). And yes, it's just one aspect and has to be seen in combination with *all* the other possible hurdles and obstacles one sets up for the bad guys. But why not use the possibilities given?
Well, all the stateful systems I have seen so far had interesting bugs (check for PIX and FW-1 state engine bugs in the bugtraq archives). This is an added complexity in the code, which increases the chance for implementation bugs. Knowing Marc and his experince, I guess he can confirm that from real life audits... Although I think the functionality of stateful filters can be very useful, I am not rushing out to replace prooven systems with it. cheers afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!