stateful feature

Unanswered Question
Sep 21st, 2007

Hi,

What is a stateful feature in PIX firewall ? What is the difference between router access-list and pix access-list ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Jon Marshall Fri, 09/21/2007 - 05:20

Hi

A standard access-list on a router is not stateful whereas a firewall like the pix does keep state ie.

when a conversation between a two machines is setup with a firewall in between the traffic path the firewall keeps track of not just the IP address/port number but also the TCP flags that are used in the packet.

So if i initiate a connection to a server using telnet my intial packet has

Source IP address: 192.168.5.1 (my client)

source port: 23467 ( random generated port)

destination IP address: 172.16.10.1 (telnet server)

destination port: 23 ( telnet port )

TCP Flag: SYN

The firewall will enter this into it's state table.

Now when the server responds

source IP address: 172.16.10.1

source port: 23

destination IP address: 192.168.5.1

destination port: 23467

TCP Flags SYN/ACK

The firewall receives this packet, checks it's state table and realises this is a return packet to the initial packet sent out by the client.

So if the above packet from the server was sent to the client, but the client had not actually sent a packet first the firewall would drop the packet because it has no entry in it's state table.

An router access-list does not keep state of the connection in the same way. It merely checks the packet against it's access-list and permits or denies it but it has no concept of "return" traffic or a packet being part of an ongoing communication.

HTH

Jon

Actions

This Discussion