obtix
Obtix.Net
join:2000-11-26
West Harrison, NY |  reply to PapaDos
Re: SPI?
that still doesnt answer my question
--
vexation | vexation@epix.net |
|
PapaDos
Cum Grano Salis
Premium,MVM
join:2001-02-08
Lasalle, QC
 ·Bell Sympatico
| You mean about the forwarding ?
It is the normal behavior. If you can't configure the SPI to restrict its action somehow, it would conflict with the forwarding. So Linksys made it an exclusion choice.
--
Software & Russian roulette, Hm... |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·EarthLink
edited
| reply to obtix
said by vexation:
that still doesnt answer my question
Stateful Packet Inspection, traditionally, is a form of routing that keeps track of connection states. For example, TCP has the "connected" state while UDP is connectionless so is virtually unaffected by SPI. Here's the way the internal workings *should* be:
With SPI
Outgoing connection attempted from LAN-A to SITE-B.
SITE-B responds, parameters exchanged.
TCP state is "connected".
While state is "connected" forward all SITE-B to LAN-A.
TCP disconnects, kill connection immediately.
Without SPI
Outgoing connection attempted from LAN-A to SITE-B.
For the next 4 minutes forward any SITE-B to LAN-A.
Any packets starts a new 4 minutes.
If no packets after 4 minutes, kill connection.
See the difference? SPI is one heck of a lot "smarter" and can do fancy things a LOT more efficiently and correctly.
Now... does LinkSys do this? Hmmmm... your guess is as good as mine. I still see no affect except it seems to be a global safety switch. Yes, enabling SPI turns off Port Forwarding, kills ping reply and the TCP "closed" reply. Someday I'll be playing with a packet generator and really see what it really does. Of course I'll post my results  .
How's that?
--
Expert Opinions: $5... I Shut Up: $10
[text was edited by author 2001-07-11 14:36:27] |
|
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
 ·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| Still, NAT itself keeps a connection cache and is very "stateful" in this respect, even for UDP and ICMP. It even dynamically "opens" secondary ports, such as used for ftp-data.
So, in the absence of port forwarding, nothing else is needed because NAT protection is very strong. It seems the SPI switch just ensures that NAT protection is not bypassed by disallowing port forwarding.
"Real" SPI, such as found on the Zywall 10, really shines on 1-1 mapped and DMZ hosts where NAT protection is NOT available. |
|
Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
·EarthLink
edited
| Hi Synack. I guess you cannot argue the Linky has a form of SPI because outbound TCP connections on port 21 (hehe.. ftp!) are decoded for the PORT command, the outbound PORT command is corrected and the LinkSys forwards accordingly. The ftp data then flows correctly.
But I can assure you this action is not at all linked to the "SPI" option. Besides, I want LinkSys to start doing this on other ports and perform a few PASVs too!
EDIT: In fact, I think this ftp PORT translation was done by LinkSys because it made the LinkSys look bad customers couldn't ftp anywhere with MSIE (instead of the truth - MSIE doesn't know what it's doing! ).
[text was edited by author 2001-07-11 20:37:43] |
|
obtix
Obtix.Net
join:2000-11-26
West Harrison, NY
|  Thx Bill, thats really what i wanted to know about it  i'll play around with it too, i just wasnt to sure what it was ment to do cept seemed to mess the router up (now i know why)
--
vexation | vexation@epix.net |
|
