Connection Tracking
Connection tracking refers to the ability for a firewall
to maintain state information about connections -
source and destination IP address and port number pairs
(known as socket pairs),
protocol types, connection state and timeouts.
Firewalls able to do this are termed stateful.
Stateful firewalling is inherently more secure than
its 'stateless' counterpart - the simple packet filtering
commonly seen in most 'personal firewalls'.
Consider an candidate packet arriving on an external interface:
- if the packet matches an entry already recorded
in the firewall's state table,
the packet is part of an ESTABLISHED connection,
- if the packet is ICMP traffic it might be RELATED
to a UDP/TCP connection already in the state table,
- the packet might be attempting to start a NEW connection, or
- it might be unrelated to any connection, we say INVALID.
To support connection-tracking for valid TCP traffic,
in iptables, we employ the state-tracking module:
iptables -A INPUT -p tcp -m state \
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state \
--state NEW,ESTABLISHED -j ACCEPT
|
Under Linux we can see how many connections may be tracked
from /proc/sys/net/ipv4/ip_conntrack_max
(typically 214),
and can see the connections from
/proc/net/ip_conntrack.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p28, 15th May 2024.
|
CITS3002