Stateful Packet inspection (?)

[Jupitus]

Hi Guys,

have an application which is server client based for delivery of significant volumes of data for display, and it doesn't work (most of the time) via a firewall/router employing SPI technology. What I am trying to find is a definitive answer as to whether there are particular manufacturers who are providing hardware with the option to enable to disable SPI, preferably on an IP by IP or port basis.

You may have guessed I know very little about such matters... help appreciated

Thanks,

Jup.

 

[lecter]

With stateful packet inspection rules enabled works as follows.

1. The client initiates a tcp connection (SYN with a sequence number)
2. The firewall logs the connection attempt and forwards the packet to the destination.
3. The server receives the packet and replies (ACK with the sequence number)
4. The firewall checks the server packet against the log and forwards it to client if it matches.

So if you want two-way initiated traffic you need to create rules for BOTH directions on a per range of ip basis.

 

[Jupitus]

Hmmmm... thanks Lecter. I guess, in simpler terms, what you are suggesting is that an SPI router needs to be configured to allow TCP connections on appropriate ports not only for the external IP range but for the internal IP range also?

Thanks.

 

[TdC]

only if you want it to push things to outside by itself iirc. if a client comes in and initiates the connection then all should be well.

I thought the whole point of being stateful was to do away with bi-directional rules? I'm a server bwoi though, not a firewall person.

thing is, if you disallow connections from inside to the firewall , it won't work anyway.