Reply to post: Stateful firewall? Where?

We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through


Stateful firewall? Where?

The most commonly used firewall configurations used by many Linux based firewall have been optimized to the point where they aren't proper stateful firewalls anymore. The port filtering stuff doesn't keep state at all as it only trusts the packets to say they aren't established (RFC 3514 style) and rely on the NAT engine to keep track of the rest of the state info. One those routers, that means anything not using NAT, isn't stateful at all and anything that opens up external access on demand like UPnP effectively breaks the stateful nature of a firewall. The same is true for many business grade firewalls. An easy way to verify this is to check how much memory is used per data stream and if it is too low, it can't be stateful.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021