SPI Firewall: what, exactly, does it do?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
XTF
DD-WRT Novice


Joined: 07 Apr 2010
Posts: 42

PostPosted: Tue Apr 03, 2012 12:19    Post subject: SPI Firewall: what, exactly, does it do? Reply with quote
What, exactly, does the SPI Firewall (option) do? I can't find the documentation for it anywhere.
Sponsor
BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1357
Location: Germany

PostPosted: Tue Apr 03, 2012 14:35    Post subject: Reply with quote
http://en.wikipedia.org/wiki/Stateful_firewall
_________________
RT-N66U @ kongac Build 24200M K3.10.40
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
XTF
DD-WRT Novice


Joined: 07 Apr 2010
Posts: 42

PostPosted: Tue Apr 03, 2012 18:40    Post subject: Reply with quote
I know what SPI stands for. I'm asking what, exactly, it does in DD WRT. Especially considering NAT itself provides some 'protection'.
BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1357
Location: Germany

PostPosted: Tue Apr 03, 2012 19:09    Post subject: Reply with quote
there is the shortcut described, but the function, too!


Quote:

[...]
The stateful firewall depends on the three-way handshake of the TCP protocol when the protocol being used is TCP; when the protocol is UDP, the stateful firewall does not depend on anything related to TCP. When a client initiates a new connection, it sends a packet with the SYN bit set in the packet header. All packets with the SYN bit set are considered by the firewall as NEW connections. If the service which the client has requested is available on the server, the service will reply to the SYN packet with a packet in which both the SYN and the ACK bit are set. The client will then respond with a packet in which only the ACK bit is set, and the connection will enter the ESTABLISHED state. Such a firewall will pass all outgoing packets through but will only allow incoming packets if they are part of an ESTABLISHED connection, ensuring that hackers cannot start unsolicited connections with the protected machine.
[...]


thats, what the SPI firewall in DD-WRT does and other softwares.

_________________
RT-N66U @ kongac Build 24200M K3.10.40
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
XTF
DD-WRT Novice


Joined: 07 Apr 2010
Posts: 42

PostPosted: Tue Apr 03, 2012 19:57    Post subject: Reply with quote
Sounds like it's basically useless.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1268
Location: Zwolle

PostPosted: Tue Apr 03, 2012 21:58    Post subject: Reply with quote
XTF wrote:
Sounds like it's basically useless.

No, it is not useless. It gives you a "perfect stealth" rating with GRC Shields Up, unless you forward ports or otherwise open them (e.g. with UPnP).

It greatly improves computer security, seen that your devices are always behind at least one firewall.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7161

PostPosted: Wed Apr 04, 2012 6:28    Post subject: Reply with quote
XTF wrote:
Sounds like it's basically useless.


Sounds like a reply from someone who hasn't understood..

Please feel free then to disable it.

_________________
I'm on a whiskey diet, lost 3 days already
BasCom
DD-WRT Guru


Joined: 29 Jul 2009
Posts: 1357
Location: Germany

PostPosted: Wed Apr 04, 2012 11:10    Post subject: Reply with quote
lol :O)
_________________
RT-N66U @ kongac Build 24200M K3.10.40
TL-WR842ND v1 @ BS-build 23919 WDS AP
TL-WR841ND @ BS-build 23919 WDS Client
TL-WR841ND @ BS-build 23919 Client Bridge ( Routed )
XTF
DD-WRT Novice


Joined: 07 Apr 2010
Posts: 42

PostPosted: Wed Apr 04, 2012 20:29    Post subject: Reply with quote
slobodan wrote:
XTF wrote:
Sounds like it's basically useless.

No, it is not useless. It gives you a "perfect stealth" rating with GRC Shields Up,

Ah, stealth ports.
Security by obscurity? :p
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1268
Location: Zwolle

PostPosted: Wed Apr 04, 2012 21:01    Post subject: Reply with quote
XTF wrote:
Ah, stealth ports.
Security by obscurity? :p

I don't say they solve everything, but open ports are invitations to hammering and further attacks. GRC Shields Up gives a perfect stealth status when it has no portscan evidence that behind your IP would exist anything like a computer or router. Of course, torrents and servers will reveal your IP, as ordinary web surfing also does (to the websites you access).

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


XTF
DD-WRT Novice


Joined: 07 Apr 2010
Posts: 42

PostPosted: Thu May 10, 2012 7:55    Post subject: Reply with quote
slobodan wrote:
XTF wrote:
Ah, stealth ports.
Security by obscurity? :p

I don't say they solve everything, but open ports are invitations to hammering and further attacks.

You mean non-stealth ports? As the ports would still be closed due to NAT.
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1268
Location: Zwolle

PostPosted: Sat May 12, 2012 11:37    Post subject: Reply with quote
XTF wrote:
You mean non-stealth ports? As the ports would still be closed due to NAT.

Yes, I meant non-stealth ports. GRC Shields Up marks them in red and says they're open ports. It says the ports are closed if it is still able to see them, and they are stealth if it finds no evidence of the existence such port. Perfect stealth means that router does not answer ping and the GRC scanner finds no evidence that a computer/router would exist at that IP.

_________________
Asus RT-N16 running Merlin (latest), formerly used Kong 22000++ kingkong-nv32k-broadcom with OTRW2

E4200 V1 running Kong 22000++ kingkong-nv60k-broadcom with OTRW2

2 times Linksys WRT610N V2 converted to E3000 running Kong 22000++ usb-ftp-samba3-dlna-nv60k-broadcom with OTRW2 (bridged with LAN cable)


Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum