4.3.29 · D4Computer Networks

Exercises — Firewalls — stateless vs stateful packet filtering

2,491 words11 min readBack to topic

Before we start, one tiny reminder so no symbol is used unearned.

The shared ruleset for the whole page (identical to the parent's table):

# Dir Proto Src Dst Dst Port Flag Action
1 out TCP 10.0.0.0/24 any 80, 443 ALLOW
2 in TCP any 10.0.0.0/24 > 1023 ACK=1 ALLOW
3 * * any any any DENY

Here "10.0.0.0/24" means "any address whose first three numbers are 10.0.0" — the internal LAN. Ports > 1023 are the ephemeral (temporary) ports a client picks for itself.


L1 — Recognition

Recall Solution 1.1

This is a stateless (static / packet) filter — decision = f(this packet's header, rules). The header trick for return traffic is: allow inbound only if the TCP ACK bit = 1, because the first packet of any new connection is a lone SYN (ACK=0) and every later packet has ACK=1.

Recall Solution 1.2

50000 is the ephemeral client port (> 1023, chosen by the laptop). 443 is the well-known service port (HTTPS). The client always dials the server's fixed door; it answers from a temporary door of its own.


L2 — Application

Recall Solution 2.1

Stateless: direction = out, proto = TCP, dst port = 443 → matches rule #1ALLOW. No entry created (it has no table). Stateful: matches the same outbound policy → ALLOW and creates the entry The firewall now remembers this conversation. See the flow in the figure below.

Figure — Firewalls — stateless vs stateful packet filtering
Recall Solution 2.2

Stateless: direction = in, dst = 10.0.0.5 (inside /24), dst port 50000 > 1023, ACK=1 → matches rule #2ALLOW. It trusts the flag, not the conversation. Stateful: look up the reverse 5-tuple — swap src/dst so the row from 2.1 matches — entry found → ALLOW, update state SYN_SENT → ESTABLISHED. Decision made on real memory.


L3 — Analysis

Recall Solution 3.1

Stateless: in, dst inside 10.0.0.0/24, dst port 50000 > 1023, ACK=1 → matches rule #2ALLOW (BAD). This is the ACK scan / spoofed-probe weakness: a lone forged ACK is indistinguishable, header-wise, from a genuine reply. Stateful: canonicalise and look up the 5-tuple → no matching entry (no SYN was ever sent to 66.66.66.66) → DROP (GOOD). Memory beats the flag trick. The two decision paths are contrasted in the figure below.

Figure — Firewalls — stateless vs stateful packet filtering
Recall Solution 3.2

Only the first outbound SYN hits the full rulebase → 1 full-rulebase evaluation. Every other packet is matched against the state table. Total packets: Table lookups (all packets after the first) . This is why stateful firewalls are fast on established flows: the expensive check happens once per connection, not once per packet.


L4 — Synthesis

Recall Solution 4.1

The data port P is negotiated at runtime and differs per session. A stateless filter has no way to learn P, so its only options are (a) permanently open a huge inbound port range (a gaping hole), or (b) block the data connection entirely (FTP breaks). Both are bad. The fix is a stateful ALG (Application-Layer Gateway), from Application Layer Gateways / Proxies: it reads the FTP control channel, parses the announced port P, and opens exactly that one port temporarily, tearing it down when the transfer ends. State lets the firewall react to what the protocol is doing rather than guess in advance.

Recall Solution 4.2

Stateless:

# Dir Proto Dst Port Flag Action
1 out TCP 443 ALLOW
2 out UDP 53 ALLOW
3 in TCP >1023 ACK=1 ALLOW
4 in UDP >1023 ALLOW
5 * * any DENY

Stateful:

# Dir Proto Dst Port Action
1 out TCP 443 ALLOW + track
2 out UDP 53 ALLOW + track
3 in any ALLOW iff in state table
4 * * any DENY

The field stateless cannot protect: UDP has no ACK bit. Rule #4 in the stateless version lets any inbound UDP to a high port through — an attacker can spray forged UDP replies. The stateful box only admits UDP that matches a tracked outbound DNS query (matched by 5-tuple + short timeout), closing that hole.


L5 — Mastery

Recall Solution 5.1

Entries accumulate for the timeout window before old ones expire, so at steady state the table holds about entries. To fill capacity : (a) SYNs/second. (b) SYNs/second — a shorter timeout forces the attacker to a higher rate, harder to sustain and easier to spot. (c) The stateless box stores nothing per connection, so there is no finite table to exhaust — it simply rate-limits or forwards each SYN and moves on.

Recall Solution 5.2
  • Edge, stateless fast ACLs (Access Control Lists (ACLs)) drop obviously bad subnets and rate-limit at line rate — cheap, DoS-resistant first sieve.
  • Stateful core tracks the 5-tuple (OSI Model — Layers 3 and 4 fields) so return traffic is automatic and forged ACKs are dropped (Exercise 3.1).
  • SYN cookies + short half-open timeout protect the state table (Exercise 5.1) against Denial of Service Attacks — the firewall answers SYNs without allocating an entry until the handshake completes.
  • ALGs (Application Layer Gateways / Proxies) open dynamic FTP/SIP data ports on demand (Exercise 4.1).
  • Network Address Translation (NAT) already keeps a translation table per flow, so it naturally reinforces the stateful return-traffic logic.

Principle: Filter cheaply and statelessly at the edge; track state where accuracy matters; never let the state table become the single point an attacker can exhaust.


Recall Master recall (cloze)

The forgetful firewall type ::: stateless (static / packet filter) The field it (ab)uses to allow return TCP traffic ::: the ACK bit Why the ACK trick fails ::: an attacker can forge ACK=1 with no real connection What a stateful firewall stores per flow ::: a state-table row (5-tuple + TCP state) The DoS a stateful box is uniquely vulnerable to ::: SYN flood (state exhaustion) Why UDP needs stateful/ALG, not the ACK trick ::: UDP has no flags — no first-vs-reply bit The helper that opens dynamic FTP data ports ::: an ALG (application-layer gateway)