SPI Firewall: what, exactly, does it do?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
XTF
DD-WRT User


Joined: 07 Apr 2010
Posts: 53

PostPosted: Tue Apr 03, 2012 12:19    Post subject: SPI Firewall: what, exactly, does it do? Reply with quote
What, exactly, does the SPI Firewall (option) do? I can't find the documentation for it anywhere.
Sponsor
BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1378
Location: Germany

PostPosted: Tue Apr 03, 2012 14:35    Post subject: Reply with quote
http://en.wikipedia.org/wiki/Stateful_firewall
_________________
RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
XTF
DD-WRT User


Joined: 07 Apr 2010
Posts: 53

PostPosted: Tue Apr 03, 2012 18:40    Post subject: Reply with quote
I know what SPI stands for. I'm asking what, exactly, it does in DD WRT. Especially considering NAT itself provides some 'protection'.
BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1378
Location: Germany

PostPosted: Tue Apr 03, 2012 19:09    Post subject: Reply with quote
there is the shortcut described, but the function, too!


Quote:

[...]
The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine.
[...]


thats, what the SPI firewall in DD-WRT does and other softwares.

_________________
RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
XTF
DD-WRT User


Joined: 07 Apr 2010
Posts: 53

PostPosted: Tue Apr 03, 2012 19:57    Post subject: Reply with quote
Sounds like it's basically useless.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Tue Apr 03, 2012 21:58    Post subject: Reply with quote
XTF wrote:
Sounds like it's basically useless.

No, it is not useless. It gives you a "perfect stealth" rating with GRC Shields Up, unless you forward ports or otherwise open them (e.g. with UPnP).

It greatly improves computer security, seen that your devices are always behind at least one firewall.

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7647

PostPosted: Wed Apr 04, 2012 6:28    Post subject: Reply with quote
XTF wrote:
Sounds like it's basically useless.


Sounds like a reply from someone who hasn't understood..

Please feel free then to disable it.

_________________
Kernel panic: Aiee, killing interrupt handler!
BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1378
Location: Germany

PostPosted: Wed Apr 04, 2012 11:10    Post subject: Reply with quote
lol :O)
_________________
RT-N66U @ Build 25697M K3.10.63
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
XTF
DD-WRT User


Joined: 07 Apr 2010
Posts: 53

PostPosted: Wed Apr 04, 2012 20:29    Post subject: Reply with quote
slobodan wrote:
XTF wrote:
Sounds like it's basically useless.

No, it is not useless. It gives you a "perfect stealth" rating with GRC Shields Up,

Ah, stealth ports.
Security by obscurity? :p
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Wed Apr 04, 2012 21:01    Post subject: Reply with quote
XTF wrote:
Ah, stealth ports.
Security by obscurity? :p

I don't say they solve everything, but open ports are invitations to hammering and further attacks. GRC Shields Up gives a perfect stealth status when it has no portscan evidence that behind your IP would exist anything like a computer or router. Of course, torrents and servers will reveal your IP, as ordinary web surfing also does (to the websites you access).

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


XTF
DD-WRT User


Joined: 07 Apr 2010
Posts: 53

PostPosted: Thu May 10, 2012 7:55    Post subject: Reply with quote
slobodan wrote:
XTF wrote:
Ah, stealth ports.
Security by obscurity? :p

I don't say they solve everything, but open ports are invitations to hammering and further attacks.

You mean non-stealth ports? As the ports would still be closed due to NAT.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Sat May 12, 2012 11:37    Post subject: Reply with quote
XTF wrote:
You mean non-stealth ports? As the ports would still be closed due to NAT.

Yes, I meant non-stealth ports. GRC Shields Up marks them in red and says they're open ports. It says the ports are closed if it is still able to see them, and they are stealth if it finds no evidence of the existence such port. Perfect stealth means that router does not answer ping and the GRC scanner finds no evidence that a computer/router would exist at that IP.

_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


Martian
DD-WRT Novice


Joined: 30 Sep 2017
Posts: 9

PostPosted: Tue Oct 03, 2017 2:49    Post subject: Reply with quote
Can SPI Firewall be disabled if I'm just running the router in Repeater Bridge Mode and the primary router has a firewall, or does it still provide some benefit?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Oct 03, 2017 9:27    Post subject: Reply with quote
Yes it can be disabled, (I actually think it does not work at all in bridging mode)
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
constharper
DD-WRT Novice


Joined: 06 Oct 2017
Posts: 2
Location: Kharkiv

PostPosted: Fri Oct 06, 2017 16:21    Post subject: Reply with quote
Smile Very useful topic!
_________________
Web and Mobile Development Company
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum