What does SPI firewall Mean?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bhaskar <vbhaskar@rocsys.com>
To: netfilter-devel@vger.kernel.org
Subject: What does SPI firewall Mean?
Date: Fri, 04 Apr 2008 13:02:55 +0530	[thread overview]
Message-ID: <47F5D9A7.4000403@rocsys.com> (raw)

Hi all,
I have been thinking about this questions.  The obvious answer I got is
SPI firewall understands the states of the packet flow and maintains the
states, TCP is the main protocol for statefull packet flow.

I am testing netfilter firewall with simple setup and the Linux kernel I
am using is 2.6.21.2.  Here is the Setup:

       <PC>-----------------------------<Linux Router with
Netfilter>-------------------------<ISP>
                 <Protected
NW>                                                               <WAN NW>

Following are the policies added in Linux Router:

Policies in Filter Table:

   1. iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state
      NEW,ESTABLISHED --dport 80 -j ACCEPT
   2. iptabgles -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j
      ACCEPT
   3. iptables -A FORWARD -j LOG --log-prefix "Dropping Other Packets:"
   4. iptables -A FORWARD -j DROP

Both INPUT and OUTPUT chains have DROP policy

Policies in NAT Table:

   1. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

The intension is to allow HTTP Traffic to the internal network.  With
the above setup I am not able to browse from PC connected in Protected
NW.  After analyzing the Logs and added another 2 policies above Policy
Number 3:
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
NEW,ESTABLISHED --sport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --sport 53 -j ACCEPT

After adding these policies I am able to browse.  AFAIK, once an
association is created (first time when packet is passing through
netfilter), the associated traffic would flow and Policies are not
parsed for the verdict.  I am little confused with this behavior.

Can somebody throw some light on this?

I see that /proc/net/nf_conntrack has correct association parameters
with outgoing IP parameters and what is expected.   To my understanding
the above two policies need not be added as Netfilter is already aware
of the reply packets.

Thanks for your response,
-Bhaskar

next             reply	other threads:[~2008-04-04  7:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-04  7:32 Bhaskar [this message]
2008-04-04  8:49 ` What does SPI firewall Mean? Jan Engelhardt
2008-04-04  9:23   ` Bhaskar
2008-04-04  9:47     ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47F5D9A7.4000403@rocsys.com \
    --to=vbhaskar@rocsys.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.