? Stateful Inspection Module (extension to Masquerading)?

? Stateful Inspection Module (extension to Masquerading)?

Post by Jim Denn » Wed, 12 Mar 1997 04:00:00

        I heard a rumor that someone was working on a
        "stateful inspection module" as in extension to the
        ipfw/masquerading code in the Linux kernel.

        However I can't find any pointers to this.

        I have a client whose paid for some custom code
        (done by another party) of this sort and is willing
        to contribute some of his code and sponsorship to
        an existing Linux project -- if it is producing
        something that meets his needs.

        For those who are curious:

        The ipfw (TCP/IP "Firewall" code) provides support for
        packet filtering in the Linux kernel (2.x and later).  This
        allows one to configure a set of policies and rules for each
        TCP/IP interface (ethernet card, SLIP or PPP link -- even
        a PLIP link I suppose) -- so that the kernel will reject,
        accept or deny (there are subtle differences between rejecting
        and denying) any packet based on it source or destination address,
        port, or certain flags or options.  (People what want to know
        more about packet filtering than that should read Cheswick &
        Bellovin's Internet Firewalls book or the O'Reilly "Building
        Internet Firewalls, by Brent Chapman and Elizabeth Zwicky).

        The "masquerading" code provides support for "network address
        translation" (NAT) which allows one to "hide" a set of
        hosts (typically using RFC 1918 "private" IP addresses) behind a
        single, multi-homed (meaning it has at least two IP interfaces)
        host.  The idea is that the masquerading host intercepts service
        request from the "hidden" parties and acts as a transparent proxy.
        This differs from SOCKS and other normal proxies in that it doesn't
        require any knowlege on the part of the client (users or software).
        Basically it looks like a router to the client and a really busy
        host to all of the servers on the outside.

        The concept of "stateful inspection" comes in when you realize
        that normal packet filtering must make it's decision about each
        packet (accept, reject or deny) purely based on the characteristics
        of *that* packet.  It has no history or concept of the TCP session.
        If a packet claims to be part of an existing session or a fragment
        of a larger packet -- the filtering software simply accepts that as
        given (though the packet must fullfill all of that filter's set of
        rules).  Basically it wasn't possible to enforce a policy that the
        initial packets by acknowleged or anything like that.

        Stateful inspection means that the router (in this case the
        Linux system with the ipfw rules) does maintain state information
        that persists beyond a single packet's processing and throughout
        the duration of a TCP session.  (I gather that the term is
        meaningless with regards to UDP -- which as no "sessions.")

        Masquerading inherently must maintain state -- the host/router
        must keep a table of which "hidden" host's requests were
        redirected to which TCP/UDP port in order to know how to route
        the responses.

        So, it is natural to believe that most of the code for doing
        stateful inspection in ipfw already exists.  It would seem to
        be a matter of restructuring -- and a matter of adding more
        parsing and logic to the ipfwadm package (the command which
        allows an admin to configure the kernel's ipfw rule sets and

        If anyone knows who is working on the stateful inspection for
        Linux -- I would deeply appreciate a pointer or e-mail address.



Starshine Technical Services              http://www.starshine.org

        Key fingerprint =  2524E3FEF0922A84  A27BDEDB38EBB95A