What does SPI firewall Mean?

All of lore.kernel.org
 help / color / mirror / Atom feed

* What does SPI firewall Mean?
@ 2008-04-04  7:32 Bhaskar
  2008-04-04  8:49 ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Bhaskar @ 2008-04-04  7:32 UTC (permalink / raw)
  To: netfilter-devel

Hi all,
I have been thinking about this questions.  The obvious answer I got is
SPI firewall understands the states of the packet flow and maintains the
states, TCP is the main protocol for statefull packet flow.

I am testing netfilter firewall with simple setup and the Linux kernel I
am using is 2.6.21.2.  Here is the Setup:

       <PC>-----------------------------<Linux Router with
Netfilter>-------------------------<ISP>
                 <Protected
NW>                                                               <WAN NW>

Following are the policies added in Linux Router:

Policies in Filter Table:

   1. iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state
      NEW,ESTABLISHED --dport 80 -j ACCEPT
   2. iptabgles -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j
      ACCEPT
   3. iptables -A FORWARD -j LOG --log-prefix "Dropping Other Packets:"
   4. iptables -A FORWARD -j DROP

Both INPUT and OUTPUT chains have DROP policy

Policies in NAT Table:

   1. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

The intension is to allow HTTP Traffic to the internal network.  With
the above setup I am not able to browse from PC connected in Protected
NW.  After analyzing the Logs and added another 2 policies above Policy
Number 3:
iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
NEW,ESTABLISHED --sport 80 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --sport 53 -j ACCEPT

After adding these policies I am able to browse.  AFAIK, once an
association is created (first time when packet is passing through
netfilter), the associated traffic would flow and Policies are not
parsed for the verdict.  I am little confused with this behavior.

Can somebody throw some light on this?

I see that /proc/net/nf_conntrack has correct association parameters
with outgoing IP parameters and what is expected.   To my understanding
the above two policies need not be added as Netfilter is already aware
of the reply packets.

Thanks for your response,
-Bhaskar

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: What does SPI firewall Mean?
  2008-04-04  7:32 What does SPI firewall Mean? Bhaskar
@ 2008-04-04  8:49 ` Jan Engelhardt
  2008-04-04  9:23   ` Bhaskar
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2008-04-04  8:49 UTC (permalink / raw)
  To: Bhaskar; +Cc: netfilter-devel


On Friday 2008-04-04 09:32, Bhaskar wrote:

> I have been thinking about this questions.  The obvious answer I got is
> SPI firewall understands the states of the packet flow

Security Parameter Index
Single Packet Inspection
Stateless Packet Inspection
Stateful Packet Inspection
...
FWIW PCMCIA!</sarcasm>

(I have no joy figuring out what all your acronyms, SPI and NW mean.)

>   1. iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state
>      NEW,ESTABLISHED --dport 80 -j ACCEPT
>   2. iptabgles -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j
>      ACCEPT
>   3. iptables -A FORWARD -j LOG --log-prefix "Dropping Other Packets:"
>   4. iptables -A FORWARD -j DROP
>
>   1. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> The intension is to allow HTTP Traffic to the internal network.  With
> the above setup I am not able to browse from PC connected in Protected
> NW.

That is because -- despite the connection "association" being active --
you only allow http from eth0->eth1 but not the reverse direction.

> After analyzing the Logs and added another 2 policies above Policy
> Number 3:
> iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
> NEW,ESTABLISHED --sport 80 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --sport 53 -j ACCEPT
>
> After adding these policies I am able to browse.  AFAIK, once an
> association is created (first time when packet is passing through
> netfilter), the associated traffic would flow and Policies are not
> parsed for the verdict.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: What does SPI firewall Mean?
  2008-04-04  8:49 ` Jan Engelhardt
@ 2008-04-04  9:23   ` Bhaskar
  2008-04-04  9:47     ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Bhaskar @ 2008-04-04  9:23 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: netfilter-devel

SPI  - Stateful Packet Inspection Firewall
NW - Network

"That is because -- despite the connection "association" being active --
you only allow http from eth0->eth1 but not the reverse direction. "

How do I make sure that the associate be used?
Jan Engelhardt wrote:
>
> On Friday 2008-04-04 09:32, Bhaskar wrote:
>
>> I have been thinking about this questions.  The obvious answer I got is
>> SPI firewall understands the states of the packet flow
>
> Security Parameter Index
> Single Packet Inspection
> Stateless Packet Inspection
> Stateful Packet Inspection
> ...
> FWIW PCMCIA!</sarcasm>
>
> (I have no joy figuring out what all your acronyms, SPI and NW mean.)
>
>>   1. iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state
>>      NEW,ESTABLISHED --dport 80 -j ACCEPT
>>   2. iptabgles -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j
>>      ACCEPT
>>   3. iptables -A FORWARD -j LOG --log-prefix "Dropping Other Packets:"
>>   4. iptables -A FORWARD -j DROP
>>
>>   1. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>>
>> The intension is to allow HTTP Traffic to the internal network.  With
>> the above setup I am not able to browse from PC connected in Protected
>> NW.
>
> That is because -- despite the connection "association" being active --
> you only allow http from eth0->eth1 but not the reverse direction.
>
>> After analyzing the Logs and added another 2 policies above Policy
>> Number 3:
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
>> NEW,ESTABLISHED --sport 80 -j ACCEPT
>> iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --sport 53 -j ACCEPT
>>
>> After adding these policies I am able to browse.  AFAIK, once an
>> association is created (first time when packet is passing through
>> netfilter), the associated traffic would flow and Policies are not
>> parsed for the verdict.
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: What does SPI firewall Mean?
  2008-04-04  9:23   ` Bhaskar
@ 2008-04-04  9:47     ` Jan Engelhardt
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2008-04-04  9:47 UTC (permalink / raw)
  To: Bhaskar; +Cc: netfilter-devel


On Friday 2008-04-04 11:23, Bhaskar wrote:
>> That is because -- despite the connection "association" being active --
>> you only allow http from eth0->eth1 but not the reverse direction.
>
> How do I make sure that the associate be used?

They are used. But you do not allow them.
As you said, you need

>>> After analyzing the Logs and added another 2 policies above Policy
>>> Number 3:
>>> iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
>>> NEW,ESTABLISHED --sport 80 -j ACCEPT
>>> iptables -A FORWARD -i eth1 -o eth0 -p udp -m udp --sport 53 -j ACCEPT

or rewrite your existing rules...

>>>   1. iptables -A FORWARD -i eth0 -o eth1 -p tcp -m state --state
>>>      NEW,ESTABLISHED --dport 80 -j ACCEPT
>>>   2. iptabgles -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j
>>>      ACCEPT
>>>   3. iptables -A FORWARD -j LOG --log-prefix "Dropping Other Packets:"
>>>   4. iptables -A FORWARD -j DROP
>>>
>>>   1. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

...to be something like:
  iptables -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
  iptables -A FORWARD -i eth0 -o eth1 -p tcp -m conntrack --ctstate NEW
     --dport 80 -j ACCEPT
  iptables -A FORWARD -i eth0 -o eth1 -p tcpp --dport 53 -j ACCEPT
(DNS can also go over TCP!)
  iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 53 -j ACCEPT
  iptables -A FORWARD -j LOG --log-prefix "dropping others"
  iptables -A FORWARD -P DROP
(no need for -j DROP at the end when you can do it with -P)

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-04-04  9:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-04  7:32 What does SPI firewall Mean? Bhaskar
2008-04-04  8:49 ` Jan Engelhardt
2008-04-04  9:23   ` Bhaskar
2008-04-04  9:47     ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.