Re: Gauntlet 5.5, is packet filtering stateful?

[Ulrich Flegel <Ulrich.Flegel () udo edu>]

> > > > > On Sat, 1 Sep 2001, Lance Spitzner said:

  LS> Guantlet ver5.5 firewall has packet filtering capabilities.
  LS> Are these packet filtering features stateful?  By stateful,
  LS> I mean does Guantlet 5.5, using the packet filtering capabilities,
  LS> have the intelligence to expect a return packet, similar to
  LS> most stateful firewalls?

The description of so called "forward with reply"-rules in the 5.5
documentation describe the common notion of stateful filtering.

Nevertheless someone around (I do not remember the name) claimed that
a "foward with reply" rule would just cause an additional reversed ack
rule to be included in the rule set.

I could not verify this claim positively. This could either mean the
claim is wrong or my test was not sufficiently extensive.

The test was very simple: I used nmap's ACK scan to send TCP
ACK-packets to a host protected by the Gauntlet V5.5. I used tcpdump
to check whether the packets arrived at the host. The packets were not
forwarded by the Gauntlet V5.5. The host nevertheless is able to
connect to outside hosts using a "forward with reply" rule for
tcp. By placing a simple "forward" rule on top of the "forward with
reply" rule I can make the Gauntlet pass the ACK scan. If that rule is
removed, the ACK does not pass.

This does not yet prove the Gauntlet V5.5 does comprehensive stateful
filtering. It might just mean that "forward with reply" rules cause an
additional reversed rule which checks more conditions than just the
ACK Flag being set.

Maybe someone did more extensive testing and came up with conclusive
results concerning the Gauntlet V5.5 "forward with reply" rule
behaviour.

Best regards,
 Ulrich Flegel

 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards