4.3.29 · D5 · HinglishComputer Networks
Question bank — Firewalls — stateless vs stateful packet filtering
4.3.29 · D5· Coding › Computer Networks › Firewalls — stateless vs stateful packet filtering
True or false — justify
A stateless firewall keeps no memory of past packets.
True. Ye sirf is packet ki header ko akele rule list ke against decide karta hai; har packet ko judge kiya jaata hai jaise wo pehla ever-seen packet ho.
A stateful firewall never needs explicit rules, only its state table.
False. Ek naye connection ka pehla packet (outbound SYN) ka table mein koi entry nahi hota, isliye state create hone se pehle usse ek explicit ALLOW/DENY rule se judge karna zaroori hai.
"Allow inbound only if ACK=1" is enough to block all unsolicited inbound connections.
False. Ye initial SYN (ACK=0) ko block karta hai, lekin ek attacker ek aisa akela packet hand-craft kar sakta hai jisme ACK=1 ho jo kisi real connection se match nahi karta — stateless filter phir bhi use andar aane deta hai (dekho TCP Flags (SYN ACK FIN RST)).
A stateful firewall is always more secure than a stateless one.
Spoofed-packet filtering ke liye mostly haan, lekin har threat ke khilaf nahi: iska finite state table ek SYN flood se exhaust ho sakta hai, ek DoS jise stateless box aasaani se jhel leta hai.
The 5-tuple uniquely identifies an active connection.
True in practice. ek flow direction ko pin down karta hai; firewall iske saath TCP phase bhi store karta hai taaki dono directions ek remembered conversation se map hon.
Stateless filtering is obsolete and should never be used.
False. Iska constant-time, memoryless simplicity ise high-speed router Access Control Lists (ACLs) ke liye ideal banata hai aur ye state-exhaustion DoS se immune hai — iska ek real niche hai.
A stateful firewall re-checks the full rulebase for every packet of an established connection.
False. Ek baar ESTABLISHED ho jaane ke baad, packets ko directly table entry se match kiya jaata hai — ek fast lookup — precisely taaki har baar poori ordered ruleset re-run na karni pade.
Deny-by-default means the firewall drops any packet not explicitly allowed.
True. Final catch-all rule DENY hai, isliye jo packet upar ke kisi ALLOW rule se match nahi karta wo fall through hoke drop ho jaata hai — allow-by-default se zyada safe.
Spot the error
"Rule #2 allows inbound ACK=1 to any port, so it is safe."
Error hai "safe." mein.
>1023 ka koi bhi port ACK=1 ke saath allow hai, isliye ek forged ACK high port tak slip through kar jaata hai; flag prove karta hi nahi ki koi real conversation exist karta hai."The return SYN-ACK is inbound, so a deny-by-default stateless firewall must block it."
Error: return traffic ko ACK trick (ya stateful memory) bachaa leta hai. SYN-ACK mein actually ACK=1 hota hai, isliye ye inbound-ACK ALLOW rule se match karta hai aur through ho jaata hai.
"Stateful firewalls open no ports for active-mode FTP because they track state."
Error "open no ports" mein hai. Active FTP ko ek doosre data connection ki zaroorat hoti hai ek dynamic port par; ek ALG helper control channel read karta hai aur exactly wahi ek port temporarily open karta hai — wo ek port open karta hai, bas precisely.
"A stateless filter can track the TCP handshake through SYN → SYN-ACK → ACK."
Error: ek sequence track karne ke liye memory chahiye, jo exactly stateless mein hoti nahi. Ye teen unrelated packets dekhta hai aur har ek ko sirf header se judge karta hai.
"NAT and stateful firewalling are the same thing."
Error conflation hai. Network Address Translation (NAT) addresses/ports rewrite karta hai aur ek mapping table zaroor rakhta hai, lekin iska purpose address sharing hai, policy enforcement nahi — haalaanki dono remembered flows par rely karte hain.
"Because packets carry ports, port fields live at Layer 3."
Error: ports ek Layer 4 (transport) field hain. IPs Layer 3 hain; dekho OSI Model — Layers 3 and 4 — ek filter jo ports read karta hai wo L4 inspect kar raha hai.
"A firewall with a huge port range permanently open is equivalent to a stateful one for FTP."
Error: ek permanent wide range ek standing hole hai jise attacker kabhi bhi hit kar sakta hai, jabke stateful ALG ek connection ke liye ek port open karta hai aur close kar deta hai — bahut chhota attack surface.
Why questions
Why does the very first packet of a new TCP connection have ACK=0?
Kyunki abhi tak acknowledge karne ke liye kuch hai hi nahi — SYN conversation open karta hai, isliye koi prior sequence number exist nahi karta jo confirm kiya ja sake (dekho TCP Three-Way Handshake).
Why can a stateless filter be immune to state-exhaustion DoS?
Ye per-connection kuch bhi store nahi karta, isliye fill karne ke liye koi table hai hi nahi; har SYN judge hoke forget ho jaata hai, flood size chahe kuch bhi ho memory constant rehti hai.
Why does a stateful firewall drop the attacker's spoofed ACK but a stateless one allows it?
Stateful box packet ka 5-tuple lookup karta hai, koi matching approved connection nahi milta, aur drop kar deta hai; stateless box ke paas consult karne ke liye koi table nahi hai aur wo sirf ACK flag par trust karta hai.
Why is the return rule so much simpler on a stateful firewall?
Kyunki — remembered connection hi rule hai, jo fragile flag-based inbound rules ko ek direct membership check se replace kar deta hai.
Why does removing the state entry on FIN/RST matter for security?
Ek baar connection close ho jaane ke baad, uska 5-tuple ab trusted nahi rehna chahiye; entry ko rakhne se ek late spoofed packet ek closed flow ki "permission" reuse kar sakta tha.
Why is packet filtering the cheapest place to enforce policy?
Ye sirf header fields read karta hai aur payload kisi bhi application tak pahunchne se pehle decide karta hai, isliye bura traffic early drop ho jaata hai bina application-layer CPU kharch kiye.
Edge cases
What happens to a packet whose 5-tuple matches an entry that just timed out?
Use unsolicited treat kiya jaata hai — entry gone hai, isliye stateful firewall use explicit rules ke against re-evaluate karta hai aur (deny-by-default) drop kar deta hai jab tak koi rule allow na kare.
A UDP "connection" has no SYN/ACK — how does a stateful firewall track it?
Ye pehle outbound UDP packet (5-tuple) par ek pseudo-state entry create karta hai aur ek short timeout ke liye isse matching return packets allow karta hai, kyunki UDP koi explicit close nahi deta.
An outbound SYN is allowed and a state entry created, but no SYN-ACK ever returns — what happens?
Half-open entry SYN_SENT mein baith jaati hai jab tak ek timeout expire na ho aur tab remove ho jaati hai; aisi half-opens mass-produce karna exactly SYN-flood exhaustion attack hai.
A packet arrives with both SYN and ACK set but matches no table entry — allow or drop?
Ek stateful firewall use drop karta hai: ek akela SYN-ACK bina prior outbound SYN ke kisi approved connection ka nahi hota (ye ek classic scan/spoof probe hai).
If two internal hosts pick the same source port to the same server, do their flows collide in the table?
Nahi — 5-tuple mein alag source IPs shamil hain, isliye tuples alag hain aur har ek ko apni entry milti hai; isliye hi paanch fields zaroori hain.
What does a firewall do with an ICMP echo-reply when no echo-request went out?
Ek stateful firewall koi matching request state nahi paata aur use unsolicited ki tarah drop kar deta hai; ek naive stateless "allow all ICMP" rule use through aane deta, reconnaissance mein madad karta.
Recall Jaane se pehle ek-line self-test
Jawab cover karo: kya tum bata sakte ho kyun ACK trick leaks karta hai, kyun stateful DoS-vulnerable hai, aur kyun pehle packet ko hamesha ek explicit rule chahiye? Agar haan, toh ye topic tumhara hai.