4.3.29 · Coding › Computer Networks
Intuition Ek sentence mein idea
Ek firewall network ke darwaze par security guard hota hai jo decide karta hai ki kaun se packets andar/bahar jaayenge.
Ek stateless guard har packet ka "ID card" alag se check karta hai; ek stateful guard
yaad rakhta hai ki usne pehle kise andar aane diya tha aur us memory se zyada smart decisions leta hai.
Internet kisi bhi reachable IP par koi bhi packet deliver kar deta hai. Bina filtering ke, poori duniya
aapke machine ke har port par knock kar sakti hai — scanning, exploiting, flooding. Ek firewall attack
surface ko reduce karta hai ek policy enforce karke: "sirf is tarah ka traffic allowed hai; baaki sab drop karo."
Policy enforce karne ki sabse sasti jagah packet headers inspect karna hai, data kisi
application tak pahunchne se pehle.
Definition Packet filtering
Packet filtering = har packet ke header fields examine karna (IP addresses, protocol,
port numbers, TCP flags) aur rules ki ek ordered list apply karna jo packet ko ALLOW ya
DENY/DROP karti hai. Default usually deny-by-default hota hai (jo explicitly allowed nahi hai woh drop ho jaata hai).
Header fields jo ek filter typically padhta hai:
Layer
Field
Example use
IP (L3)
Source / Dest IP
ek bad subnet block karo
IP (L3)
Protocol (TCP/UDP/ICMP)
sirf TCP allow karo
TCP/UDP (L4)
Source / Dest port
dst 443 (HTTPS) allow karo
TCP (L4)
Flags (SYN, ACK, FIN, RST)
connection starts spot karo
Definition Stateless (packet) filter
Har packet ko apne aap judge karta hai , koi memory nahi past packets ki. Decision = f(is
packet ka header, rule list). Ise static ya packetfilter bhi kehte hain.
Definition Stateful (inspection) filter
Ek connection state table maintain karta hai (a.k.a. flow table ). Yeh har active connection
(uski 5-tuple + TCP state) track karta hai aur packet ko judge karta hai yeh poochh kar: "Kya yeh packet kisi aisi connection se belong karta hai jo maine pehle approve ki thi?" Decision = f(yeh packet, + remembered connection state ).
Intuition 5-tuple = connection ka fingerprint
Ek connection 5-tuple se identify hoti hai:
( srcIP , dstIP , srcPort , dstPort , protocol )
Stateful firewall har active 5-tuple ke liye ek row store karta hai uske TCP phase ke saath (jaise SYN_SENT,
ESTABLISHED). Woh memory hi poora farq hai.
Aap chahte ho ki aapka laptop web browse kar sake (outbound to port 443) aur reply bhi receive kare.
Lekin reply ek inbound packet hai. Stateless filter ko yaad nahi ki aapne conversation start ki thi,
toh use inbound packets header tricks se allow karne padte hain — jo ki leaky hai.
Classic stateless trick: inbound TCP packets sirf tab allow karo jab unka ACK bit set ho.
Intuition ACK trick kyun kaam karti hai (mostly)
Nayi TCP connection ka bilkul pehla packet SYN hota hai jisme ACK=0 hota hai. Established connection
ka baad wala har packet ACK=1 hota hai. Toh "inbound sirf ACK=1 par allow karo" replies ko through
aane deta hai jabki kisi nayi inbound connection ka pehla packet block ho jaata hai jo ek attacker bhejta.
Example stateless ruleset (internal hosts ko web servers tak jaane do, nayi inbound connections block karo):
#
Dir
Proto
Src
Dst
Dst Port
Flag
Action
1
out
TCP
10.0.0.0/24
any
80,443
—
ALLOW
2
in
TCP
any
10.0.0.0/24
>1023
ACK=1
ALLOW
3
*
*
any
any
any
—
DENY
Common mistake Steel-man: "ACK trick utni hi safe hai jitni stateful."
Kyun sahi lagti hai: real replies mein hamesha ACK=1 hota hai, aur pehla inbound SYN block ho jaata hai,
toh lagta hai watertight hai. Kyun galat hai: ek attacker ACK=1 wala packet hand-craft kar sakta hai
jo kisi bhi real connection se belong nahi karta. Stateless filter ACK=1 dekhta hai, rule #2 match karta hai,
aur use andar aane deta hai — ek ACK scan / spoofed-packet probe. Stateful filter apni table check karta hai,
koi matching connection nahi milti, aur drop kar deta hai. Fix: stateful tracking use karo, ya kam se kam
ACK trick ka residual risk samjho.
Intuition HOW — connection life cycle
Outbound SYN jaata hai → firewall rules check karta hai → agar allowed hai, ek state entry create karta hai
(5-tuple, state = SYN_SENT).
Inbound SYN-ACK aata hai → firewall table mein lookup karta hai → pending entry se match karta hai →
automatically allow karta hai aur state update karta hai → SYN_RCVD/ESTABLISHED.
Baad ke data packets → ESTABLISHED entry se match hote hain → poora rulebase dobara check kiye bina allow ho jaate hain (fast).
FIN/RST ya timeout → entry remove → us 5-tuple ke future packets drop ho jaate hain.
Worked example Example 2 — Legitimate reply
Server reply karta hai 93.184.216.34:443 → 10.0.0.5:50000, SYN-ACK.
Stateless: inbound, dst port 50000 (>1023), ACK=1 → rule #2 se match → ALLOW.
Yeh step kyun? Yeh sirf "flag trust" kar sakta hai, conversation nahi.
Stateful: reverse 5-tuple lookup karo → entry exist karti hai → ALLOW, ESTABLISHED mein update karo.
Yeh step kyun? Decision real memory par based hai, koi guessable flag nahi.
Worked example Example 3 — Attacker ka spoofed ACK probe
Attacker 66.66.66.66:80 → 10.0.0.5:50000 with ACK=1 , koi prior handshake nahi.
Stateless: inbound, port >1023, ACK=1 → rule #2 se match → ALLOW (BAD!) .
Yeh step kyun? Filter real reply aur forged ACK mein farq nahi kar sakta.
Stateful: 5-tuple lookup karo → table mein nahi → DROP (GOOD!) .
Yeh step kyun? Koi remembered connection nahi ⇒ packet unsolicited hai.
Worked example Example 4 — FTP / UDP ke liye stateful kyun zaruri hai
Active-mode FTP dynamic ports par ek doosri data connection open karta hai. Ek stateless rule ko
permanently ek bada port range open karna padta. Ek stateful firewall ek ALG (application-layer
gateway) helper use karta hai jo FTP control channel padhta hai, negotiated data port seek karta hai, aur
sirf woh ek port temporarily open karta hai. Yeh step kyun? State firewall ko protocol kya kar raha hai
uske hisaab se react karne deta hai, pehle se andaza lagane ki bajaye.
Aspect
Stateless
Stateful
Connections ki memory
None
Connection/state table
Return traffic
flag tricks (ACK)
table ke through automatic
Spoofed packets ke against security
weak
strong
Memory / CPU cost
bahut kam
zyada (per-flow state)
Speed per packet
constant, simple
established par fast, table lookup
DoS via state exhaustion
vulnerable nahi
vulnerable (SYN flood table fill karta hai)
Dynamic protocols (FTP/SIP)
poor
good (ALGs)
Common mistake Steel-man: "Stateful strictly better hai, toh hamesha use karo."
Kyun sahi lagta hai: yeh zyada accurate hai aur return traffic cleanly handle karta hai. Kyun
incomplete hai: state table finite memory hai. Ek SYN-flood millions of half-open
SYNs bhejta hai, har ek ek entry create karta hai, RAM exhaust kar deta hai — ek DoS jise stateless
box easily handle kar leta. Fix: SYN cookies / rate limiting ke saath combine karo; use case ke hisaab se choose karo. Routers ke fast ACLs deliberately stateless hote hain.
Recall Feynman: ek 12-saal ke bacche ko explain karo
Ek party mein doorman imagine karo. Ek bhulakkad doorman (stateless) har baar har aadmi ka ticket check
karta hai lekin kisi ko yaad nahi rakhta — toh ek chalaak baccha jo kehta hai "main pehle hi andar aaya tha, main
sirf wapas ja raha hoon" usse fool kar sakta hai agar usne sahi badge pehna ho. Ek samajhdar doorman (stateful) ek
guest list rakhta hai jinhe usne andar aane diya tha. Jab koi wapas andar aana chahta hai, woh list check karta hai. Agar
aapka naam wahan nahi hai, aap andar nahi ja sakte — chahe koi bhi badge wave karo. Samajhdar doorman safe hai,
lekin agar ek badi bheed fake names lekar aati hai, uski notebook bhar jaati hai aur woh overwhelm ho jaata hai.
Mnemonic Yaad rakhne ka tarika
"State = Slate." Ek stateful firewall connections ek slate par likhta hai (yeh remember karta hai).
Ek stateless firewall ke paas koi slate nahi — yeh har packet bhool jaata hai. Aur return traffic ke
liye trick word: "ACK = Already Came (b)acK" — ACK=1 ka matlab hai yeh wapas aane ka claim kar raha hai,
lekin sirf slate hi prove kar sakti hai.
Firewall state table mein ek single connection ko kya identify karta hai? 5-tuple: srcIP, dstIP, srcPort, dstPort, protocol
Stateless aur stateful filtering mein key difference kya hai? Stateless har packet ko akele judge karta hai bina memory ke; stateful ek connection state table maintain karta hai aur check karta hai ki packet kisi approved connection se belong karta hai ya nahi.
Stateless filter return traffic allow karne ke liye kaunsi header trick use karta hai? Inbound TCP sirf tab allow karo jab ACK bit set ho (ACK=1), kyunki nayi connections SYN se start hoti hain (ACK=0).
ACK trick insecure kyun hai? Ek attacker ACK=1 wala packet forge kar sakta hai jo kisi real connection se belong nahi karta; stateless use andar aane deta hai, stateful drop kar deta hai (koi matching table entry nahi).
Nayi TCP connection ka pehla packet distinguish karne wala flag kaunsa hai? SYN with ACK=0.
Jab stateful firewall mein outbound SYN allow hota hai toh kya hota hai? Yeh ek state-table entry create karta hai (5-tuple, state SYN_SENT) taaki reply automatically permit ho jaaye.
Kaunsa attack specifically stateful firewalls ko exploit karta hai lekin stateless ko nahi? SYN flood / state-table exhaustion — bahut saari half-open connections finite state table fill kar deti hain (DoS).
Active-mode FTP ko stateful firewall kyun chahiye? Yeh dynamically negotiated port par ek doosri data connection open karta hai; ek ALG control channel padhta hai aur exactly woh port temporarily open karta hai.
Achhe se configure kiye firewall ki default policy kya hoti hai? Deny-by-default: jo explicitly allowed nahi hai woh sab drop karo.
State entry kab remove hoti hai? TCP FIN/RST teardown par ya idle timeout ke baad.
TCP Three-Way Handshake — SYN/SYN-ACK/ACK hi wajah hai ki ACK trick aur state tracking kaam karti hai.
TCP Flags (SYN ACK FIN RST) — wo bits jo ek filter padhta hai.
Network Address Translation (NAT) — yeh bhi ek per-flow table maintain karta hai, conceptually stateful.
Access Control Lists (ACLs) — router ACLs classic stateless implementation hain.
Denial of Service Attacks — SYN flood vs state exhaustion.
OSI Model — Layers 3 and 4 — kaun se headers kahan rehte hain.
Application Layer Gateways / Proxies — headers se pare deeper inspection.
judges each packet, no memory
Firewall = security guard
Packet filtering on headers