Stateful Packet inspection (?)

Discussion in 'Techie Discussion' started by Jupitus, Sep 15, 2004.

  1. Jupitus

    Jupitus Old and short, no wonder I'm grumpy! Staff member Moderator FH Subscriber

    Hi Guys,

    have an application which is server client based for delivery of significant volumes of data for display, and it doesn't work (most of the time) via a firewall/router employing SPI technology. What I am trying to find is a definitive answer as to whether there are particular manufacturers who are providing hardware with the option to enable to disable SPI, preferably on an IP by IP or port basis.

    You may have guessed I know very little about such matters... help appreciated :)


  2. lecter

    lecter Fledgling Freddie

    With stateful packet inspection rules enabled works as follows.

    1. The client initiates a tcp connection (SYN with a sequence number)
    2. The firewall logs the connection attempt and forwards the packet to the destination.
    3. The server receives the packet and replies (ACK with the sequence number)
    4. The firewall checks the server packet against the log and forwards it to client if it matches.

    So if you want two-way initiated traffic you need to create rules for BOTH directions on a per range of ip basis.
  3. Jupitus

    Jupitus Old and short, no wonder I'm grumpy! Staff member Moderator FH Subscriber

    Hmmmm... thanks Lecter. I guess, in simpler terms, what you are suggesting is that an SPI router needs to be configured to allow TCP connections on appropriate ports not only for the external IP range but for the internal IP range also?

  4. TdC

    TdC Trem's hunky sex love muffin Staff member Moderator

    only if you want it to push things to outside by itself iirc. if a client comes in and initiates the connection then all should be well.

    I thought the whole point of being stateful was to do away with bi-directional rules? I'm a server bwoi though, not a firewall person.

    thing is, if you disallow connections from inside to the firewall , it won't work anyway.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.