Stateful inspection vs connection tracking?
Results 1 to 4 of 4

Thread: Stateful inspection vs connection tracking?

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    Stateful inspection vs connection tracking?

    OK, I'm confused.....

    I've been considering OpenBSD for my home router, and in the course of my research I ran across this piece on pf, OpenBSD's packet filtering utility, with a very interesting comment at the bottom:
    IPTables does not do stateful inspection/filtering, only connection tracking. As to how that would impact your needs, that is something you need to investigate. To me it sounds like a shortcoming in IPTables, one that hopefully will be changed.
    Conventional wisdom holds that netfilter is a stateful packet filter. So then I got curious..... and I found this post to the netfilter mailing list that seems to confirm that, with the following comment:
    This configuration can't be done with Netfilter because you are doing what we could call "connection tracking" and not "stateful inspection".
    I don't really understand the point he was making about the syn packet, but he certainly says that netfilter is not stateful.

    Then in this interview with Daniel Hartmeir, the author of pf, he goes into a very in-depth discussion of stateful inspection. I found this comment particularly interesting:
    We check each sequence number in each TCP packet against narrow windows of legal values. Mike Frantzen wrote this implementation, and he also fine-tuned all parameters to minimize the number of mismatches in real traffic. I don't know about commercial firewalls, but I believe this is the best implementation of stateful filtering around. Linux' netfilter is heading in the same direction, I think.
    Say what? I thought that was what netfilter did.....

    So what exactly is the difference between stateful inspection and conenction tracking?
    Do what you want with the girl, but leave me alone!

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    These links might help somewhat. I've always taught that IPTables is Stateful inspection but that you couldn't call it that. The term, stateful inspection, is owned by Checkpoint (Copyright and all). That said, IPTables can do Stateful Inspection (hence the match of state -- NEW, ESTABLISHED, RELATED) as well as filter baised on qualities in the packet (types of ICMP, TOS, etc.). I think it's more a terminology issue than anything.


    http://www.sns.ias.edu/~jns/security/iptables/

    http://www.spinics.net/lists/netfilter/msg14629.html


    Hope this helps somewhat.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Thanks for the links, MsMittens. I had actually already turned them up in my search, but they are very helpful nonetheless.

    I had always been under the impression that it was a difference in terminology, but this guy certainly seems to be claiming that there is a functional difference. Am I misreading him here, or is he wrong? What exactly is it he is claiming here, because I really don't follow the example:

    Actually, this discussion start to make aware of the difference
    between "connection tracking" and "stateful inspection". :-)

    > Of course, you can still use SYNs to scan the network, so they
    > haven't actually won anything here, except that if their firewall
    > reboots, established connections will die.

    Well, if you consider a full implementation of a stateful inspection
    firewall, you should be able to "hide" a network from outside without
    using NAT.

    For example, you can make up the following ruleset:

    o DENY SYN from outside -> inside
    o Allow NEW, ESTABLISHED, RELATED


    |Internet|----|FW|----|Hidden Net w/o NAT |


    On this configuration, you allow all the computers of your hidden net
    to have their own IP address and you disallow any sort of scan from
    outside. You can even imagine to have a web server somewhere in your
    hidden network (you just have to add as first rule that you allow
    all the traffic on the port 80 to this precise IP address).

    This configuration can't be done with Netfilter because you are doing
    what we could call "connection tracking" and not "stateful inspection".

    > The confusion here comes from the "TCP connection" vs
    > "connection tracking connection" distinction, which is subtle and
    > usually harmless.

    Harmless if you are running NAT. But, if you are trying to use Netfilter
    as a complete stateful inspection firewall, then you are in trouble
    (IMHO).
    Do what you want with the girl, but leave me alone!

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Sounds more like an invisible firewall. But noticed he said "complete stateful inspection firewall". That would suggest partial stateful inspection. If we go by the term as per english, I believe IPtables fits. It does do a pause-and-check of the packet (stateful inspection or packet filtering -- perhaps a more proper term would be dynamic packet filtering).

    But the "complete stateful inspection" sounds like something that is specific to Checkpoint, the ability to hide the firewall and the network.


    http://www.checkpoint.com/products/d...Inspection.pdf

    http://www.checkpoint.com/products/p...-1_primer.html

    The more I think about it perhaps the more he is accurate in that IPTables is more of a packet filter than a full-blown stateful inspection. A PIX firewall is closer to that than IPTables. But then again, IPTables is more for smaller usage compared to Checkpoint or Pix. It's a comparison of apples and oranges.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •