4.3.29 · D4 · HinglishComputer Networks

ExercisesFirewalls — stateless vs stateful packet filtering

2,745 words12 min read↑ Read in English

4.3.29 · D4 · Coding › Computer Networks › Firewalls — stateless vs stateful packet filtering

Shuru karne se pehle, ek chhota sa reminder taaki koi symbol bina wajah use na ho.

Poore page ke liye shared ruleset (parent ke table ke identical):

# Dir Proto Src Dst Dst Port Flag Action
1 out TCP 10.0.0.0/24 any 80, 443 ALLOW
2 in TCP any 10.0.0.0/24 > 1023 ACK=1 ALLOW
3 * * any any any DENY

Yahan "10.0.0.0/24" ka matlab hai "koi bhi address jiske pehle teen numbers 10.0.0 hain" — yani internal LAN. Ports > 1023 woh ephemeral (temporary) ports hain jo ek client apne liye khud choose karta hai.


L1 — Recognition

Recall Solution 1.1

Yeh ek stateless (static / packet) filter hai — decision = f(is packet ka header, rules). Return traffic ke liye header trick yeh hai: inbound tab hi allow karo jab TCP ACK bit = 1 ho, kyunki kisi bhi naye connection ka pehla packet ek akela SYN hota hai (ACK=0) aur har baad ke packet mein ACK=1 hota hai.

Recall Solution 1.2

50000 ephemeral client port hai (> 1023, laptop ne choose kiya). 443 well-known service port hai (HTTPS). Client hamesha server ka fixed door dial karta hai; woh apne ek temporary door se jawab deta hai.


L2 — Application

Recall Solution 2.1

Stateless: direction = out, proto = TCP, dst port = 443 → rule #1 se match → ALLOW. Koi entry create nahi hoti (iski koi table nahi hai). Stateful: same outbound policy se match → ALLOW aur entry create karta hai Firewall ab is conversation ko yaad rakhta hai. Neeche figure mein flow dekhein.

Figure — Firewalls — stateless vs stateful packet filtering
Recall Solution 2.2

Stateless: direction = in, dst = 10.0.0.5 (inside /24), dst port 50000 > 1023, ACK=1rule #2 se match → ALLOW. Yeh flag par trust karta hai, conversation par nahi. Stateful: reverse 5-tuple lookup karo — src/dst swap karo taaki 2.1 ki row match ho — entry mili → ALLOW, state update SYN_SENT → ESTABLISHED. Decision real memory par based.


L3 — Analysis

Recall Solution 3.1

Stateless: in, dst 10.0.0.0/24 ke andar, dst port 50000 > 1023, ACK=1 → rule #2 se match → ALLOW (BAD). Yeh ACK scan / spoofed-probe weakness hai: header-wise, ek akela forged ACK ek genuine reply se alag nahi dikhta. Stateful: 5-tuple canonicalise karo aur lookup karo → koi matching entry nahi (kabhi koi SYN 66.66.66.66 ko bheja hi nahi gaya) → DROP (GOOD). Memory flag trick ko beat karti hai. Neeche figure mein dono decision paths compare kiye gaye hain.

Figure — Firewalls — stateless vs stateful packet filtering
Recall Solution 3.2

Sirf pehla outbound SYN full rulebase tak pahunchta hai → 1 full-rulebase evaluation. Baaki har packet state table ke against match hota hai. Total packets: Table lookups (pehle ke baad ke saare packets) . Isliye stateful firewalls established flows par fast hote hain: expensive check ek connection mein ek baar hoti hai, har packet par nahi.


L4 — Synthesis

Recall Solution 4.1

Data port P runtime par negotiate hota hai aur har session mein alag hota hai. Ek stateless filter ke paas P jaanne ka koi tarika nahi, toh uske sirf options hain (a) permanently ek huge inbound port range kholna (ek bada hole), ya (b) data connection block karna (FTP toot jaata hai). Dono bure hain. Fix ek stateful ALG (Application-Layer Gateway) hai, Application Layer Gateways / Proxies se: woh FTP control channel padhta hai, announced port P parse karta hai, aur exactly wahi ek port temporarily open karta hai, transfer khatam hone par use band kar deta hai. State firewall ko protocol kya kar raha hai uske react karne deta hai, pehle se andaza lagaane ki bajaye.

Recall Solution 4.2

Stateless:

# Dir Proto Dst Port Flag Action
1 out TCP 443 ALLOW
2 out UDP 53 ALLOW
3 in TCP >1023 ACK=1 ALLOW
4 in UDP >1023 ALLOW
5 * * any DENY

Stateful:

# Dir Proto Dst Port Action
1 out TCP 443 ALLOW + track
2 out UDP 53 ALLOW + track
3 in any ALLOW iff in state table
4 * * any DENY

Woh field jo stateless protect nahi kar sakta: UDP mein koi ACK bit nahi hai. Stateless version mein rule #4 kisi bhi inbound UDP ko high port par jaane deta hai — ek attacker forged UDP replies spray kar sakta hai. Stateful box sirf woh UDP admit karta hai jo tracked outbound DNS query se match karta hai (5-tuple + short timeout se matched), woh hole band karta hai.


L5 — Mastery

Recall Solution 5.1

Entries timeout window ke liye accumulate hoti hain pehle ki puraani expire hon, toh steady state mein table mein lagbhag entries hoti hain. Capacity fill karne ke liye: (a) SYNs/second. (b) SYNs/second — ek shorter timeout attacker ko zyaada rate par force karta hai, sustain karna mushkil aur spot karna aasaan. (c) Stateless box connection ke per kuch store nahi karta, toh koi finite table hi nahi hai exhaust karne ke liye — woh simply har SYN ko rate-limit ya forward karta hai aur aage badh jaata hai.

Recall Solution 5.2
  • Edge, stateless fast ACLs (Access Control Lists (ACLs)) obviously bure subnets drop karte hain aur line rate par rate-limit karte hain — sasta, DoS-resistant pehla sieve.
  • Stateful core 5-tuple track karta hai (OSI Model — Layers 3 and 4 fields) taaki return traffic automatic ho aur forged ACKs drop ho jayein (Exercise 3.1).
  • SYN cookies + short half-open timeout state table ko protect karte hain (Exercise 5.1) Denial of Service Attacks ke against — firewall SYNs ka jawab entry allocate kiye bina deta hai jab tak handshake complete na ho jaaye.
  • ALGs (Application Layer Gateways / Proxies) demand par dynamic FTP/SIP data ports open karte hain (Exercise 4.1).
  • Network Address Translation (NAT) already har flow ke liye ek translation table rakhta hai, toh woh naturally stateful return-traffic logic reinforce karta hai.

Principle: Edge par saste aur statelessly filter karo; jahan accuracy matter kare wahan state track karo; kabhi state table ko woh single point mat banne do jise ek attacker exhaust kar sake.


Recall Master recall (cloze)

Bhulakkad firewall type ::: stateless (static / packet filter) Woh field jo woh return TCP traffic allow karne ke liye (ab)use karta hai ::: ACK bit ACK trick kyun fail hoti hai ::: ek attacker bina real connection ke ACK=1 forge kar sakta hai Ek stateful firewall har flow ke liye kya store karta hai ::: ek state-table row (5-tuple + TCP state) Woh DoS jis par stateful box uniquely vulnerable hai ::: SYN flood (state exhaustion) UDP ko stateful/ALG kyun chahiye, ACK trick nahi ::: UDP mein koi flags nahi hote — koi first-vs-reply bit nahi Woh helper jo dynamic FTP data ports open karta hai ::: ek ALG (application-layer gateway)