Shuru karne se pehle, ek chhota sa reminder taaki koi symbol bina wajah use na ho.
Poore page ke liye shared ruleset (parent ke table ke identical):
#
Dir
Proto
Src
Dst
Dst Port
Flag
Action
1
out
TCP
10.0.0.0/24
any
80, 443
—
ALLOW
2
in
TCP
any
10.0.0.0/24
> 1023
ACK=1
ALLOW
3
*
*
any
any
any
—
DENY
Yahan "10.0.0.0/24" ka matlab hai "koi bhi address jiske pehle teen numbers 10.0.0 hain" — yani internal LAN. Ports > 1023 woh ephemeral (temporary) ports hain jo ek client apne liye khud choose karta hai.
Yeh ek stateless (static / packet) filter hai — decision = f(is packet ka header, rules).
Return traffic ke liye header trick yeh hai: inbound tab hi allow karo jab TCP ACK bit = 1 ho, kyunki
kisi bhi naye connection ka pehla packet ek akela SYN hota hai (ACK=0) aur har baad ke packet mein ACK=1 hota hai.
Recall Solution 1.2
50000 ephemeral client port hai (> 1023, laptop ne choose kiya). 443 well-known
service port hai (HTTPS). Client hamesha server ka fixed door dial karta hai; woh apne ek
temporary door se jawab deta hai.
Stateless: direction = out, proto = TCP, dst port = 443 → rule #1 se match → ALLOW.
Koi entry create nahi hoti (iski koi table nahi hai).
Stateful: same outbound policy se match → ALLOWaur entry create karta hai
(10.0.0.5,93.184.216.34,50000,443,TCP,state=SYN_SENT)
Firewall ab is conversation ko yaad rakhta hai. Neeche figure mein flow dekhein.
Recall Solution 2.2
Stateless: direction = in, dst = 10.0.0.5 (inside /24), dst port 50000 > 1023, ACK=1
→ rule #2 se match → ALLOW. Yeh flag par trust karta hai, conversation par nahi.
Stateful:reverse 5-tuple lookup karo — src/dst swap karo taaki 2.1 ki row match ho —
entry mili → ALLOW, state update SYN_SENT → ESTABLISHED. Decision real memory par based.
Stateless: in, dst 10.0.0.0/24 ke andar, dst port 50000 > 1023, ACK=1 → rule #2 se match
→ ALLOW (BAD). Yeh ACK scan / spoofed-probe weakness hai: header-wise, ek akela forged ACK
ek genuine reply se alag nahi dikhta.
Stateful: 5-tuple canonicalise karo aur lookup karo → koi matching entry nahi (kabhi koi SYN
66.66.66.66 ko bheja hi nahi gaya) → DROP (GOOD). Memory flag trick ko beat karti hai.
Neeche figure mein dono decision paths compare kiye gaye hain.
Recall Solution 3.2
Sirf pehla outbound SYN full rulebase tak pahunchta hai → 1 full-rulebase evaluation.
Baaki har packet state table ke against match hota hai. Total packets:
1+1+1+40+2=45.
Table lookups (pehle ke baad ke saare packets) =45−1=44. Isliye stateful firewalls
established flows par fast hote hain: expensive check ek connection mein ek baar hoti hai, har packet par nahi.
Data port Pruntime par negotiate hota hai aur har session mein alag hota hai. Ek stateless filter ke paas
P jaanne ka koi tarika nahi, toh uske sirf options hain (a) permanently ek huge inbound port range kholna
(ek bada hole), ya (b) data connection block karna (FTP toot jaata hai). Dono bure hain.
Fix ek stateful ALG (Application-Layer Gateway) hai,
Application Layer Gateways / Proxies se: woh FTP control channel padhta hai, announced port P parse karta hai, aur exactly wahi ek port temporarily open karta hai, transfer khatam hone par use band kar deta hai. State firewall ko protocol kya kar raha hai uske react karne deta hai, pehle se andaza lagaane ki bajaye.
Recall Solution 4.2
Stateless:
#
Dir
Proto
Dst Port
Flag
Action
1
out
TCP
443
—
ALLOW
2
out
UDP
53
—
ALLOW
3
in
TCP
>1023
ACK=1
ALLOW
4
in
UDP
>1023
—
ALLOW
5
*
*
any
—
DENY
Stateful:
#
Dir
Proto
Dst Port
Action
1
out
TCP
443
ALLOW + track
2
out
UDP
53
ALLOW + track
3
in
any
—
ALLOW iff in state table
4
*
*
any
DENY
Woh field jo stateless protect nahi kar sakta: UDP mein koi ACK bit nahi hai. Stateless version mein rule #4
kisi bhi inbound UDP ko high port par jaane deta hai — ek attacker forged UDP replies spray kar sakta hai. Stateful box sirf woh UDP admit karta hai jo tracked outbound DNS query se match karta hai (5-tuple + short timeout se matched), woh hole band karta hai.
Entries timeout window T ke liye accumulate hoti hain pehle ki puraani expire hon, toh steady state mein
table mein lagbhag r×T entries hoti hain. Capacity C fill karne ke liye:
r×T≥C⟹r≥TC.(a)r≥601,000,000≈16,667 SYNs/second.
(b)r≥101,000,000=100,000 SYNs/second — ek shorter timeout attacker ko 6× zyaada rate par force karta hai, sustain karna mushkil aur spot karna aasaan.
(c) Stateless box connection ke per kuch store nahi karta, toh koi finite table hi nahi hai exhaust karne ke liye — woh simply har SYN ko rate-limit ya forward karta hai aur aage badh jaata hai.
Recall Solution 5.2
Edge, stateless fast ACLs (Access Control Lists (ACLs)) obviously bure subnets drop karte hain aur
line rate par rate-limit karte hain — sasta, DoS-resistant pehla sieve.
Stateful core 5-tuple track karta hai (OSI Model — Layers 3 and 4 fields) taaki return traffic
automatic ho aur forged ACKs drop ho jayein (Exercise 3.1).
SYN cookies + short half-open timeout state table ko protect karte hain (Exercise 5.1)
Denial of Service Attacks ke against — firewall SYNs ka jawab entry allocate kiye bina deta hai jab tak
handshake complete na ho jaaye.
ALGs (Application Layer Gateways / Proxies) demand par dynamic FTP/SIP data ports open karte hain
(Exercise 4.1).
Network Address Translation (NAT) already har flow ke liye ek translation table rakhta hai, toh woh
naturally stateful return-traffic logic reinforce karta hai.
Principle:Edge par saste aur statelessly filter karo; jahan accuracy matter kare wahan state track karo;
kabhi state table ko woh single point mat banne do jise ek attacker exhaust kar sake.
Recall Master recall (cloze)
Bhulakkad firewall type ::: stateless (static / packet filter)
Woh field jo woh return TCP traffic allow karne ke liye (ab)use karta hai ::: ACK bit
ACK trick kyun fail hoti hai ::: ek attacker bina real connection ke ACK=1 forge kar sakta hai
Ek stateful firewall har flow ke liye kya store karta hai ::: ek state-table row (5-tuple + TCP state)
Woh DoS jis par stateful box uniquely vulnerable hai ::: SYN flood (state exhaustion)
UDP ko stateful/ALG kyun chahiye, ACK trick nahi ::: UDP mein koi flags nahi hote — koi first-vs-reply bit nahi
Woh helper jo dynamic FTP data ports open karta hai ::: ek ALG (application-layer gateway)