Question to Jason_R0 or somebody who knows.

[feniks]

Hello.

I hope you can understand my english and what I am asking for.

I read that Windows Firewall have SPI and also that Ghostwall is superior to Windows XP firewall.

So I will like to know if Ghostwall is filtering traffic using some kind of SPI. The simple basic understanding of SPI is to me that with Stateful Packet Inspection (SPI), every time a packet is sent out of the computer, the firewall keeps track of it. When a packet comes back to the firewall, the firewall can tell whether or not the inbound packet is a reply to the packet that was sent out.

If not by SPI then how Ghostwall is deciding what to allow inbound with only one rule allow all out and no rules for incoming?

Second and last rule block all that not match rule above.

I understand that somehow inbound is allowed based on outbound so that indicates some TCP packet filtering and remembering the request for communication and that would fit to SPI maybe?

Also Ghostwall is closing not used ports, what again indicates for SPI work.

Here are some key features of "GhostWall":

· Packet filtering ability for TCP/UDP/RAW and ICMP.
· 64-bit and 32-bit compatible
· Suitable firewall for people who play games and other low latency requirements
· Very Low resource usage
· Minimal impact to network latency due to fast and efficient coding
· Shows network speed for TCP/UDP/RAW and ICMP
· Shows data transfered for TCP/UDP/RAW and ICMP
· Displays 50 last blocked and allowed packets for TCP/UDP/RAW and ICMP
· Panic buttons, to allow all traffic, or to block all traffic

What exactly the first point mean?

I just try to understand... and I like Ghostwall so far because is easy, fast and light - but I will like to know more about it.

I am also using CHX-I so I am wondering if Ghostwall is achieving its goals in allowing income in similar way?

I will really appreciate the answer.

[james246]

To me Ghostwall looks like a Vanilla Packet Filter without SPI
Though it is best for Jason to confirm

[feniks]

Quote:

Originally Posted by james246

To me Ghostwall looks like a Vanilla Packet Filter without SPI
Though it is best for Jason to confirm

I think I shoul refine my question as this is not question about SPI.

So the questions I have are:

1. How Ghostwall is deciding what to allow inbound with only one rule allow all out and no rules for incoming?

2. Of the features below - what exactly the first point mean?

Here are some key features of "GhostWall":

· Packet filtering ability for TCP/UDP/RAW and ICMP.
· 64-bit and 32-bit compatible
· Suitable firewall for people who play games and other low latency requirements
· Very Low resource usage
· Minimal impact to network latency due to fast and efficient coding
· Shows network speed for TCP/UDP/RAW and ICMP
· Shows data transfered for TCP/UDP/RAW and ICMP
· Displays 50 last blocked and allowed packets for TCP/UDP/RAW and ICMP
· Panic buttons, to allow all traffic, or to block all traffic

[xtree]

Hi,

Packet filtering means:

You define the particular packets (in and out) needed for your applications to communicate.

A packet should contain:

Description
Protocol (TCP/UDP/ICMP/RAW/ALL)
Local IP
Local Port
Remote IP
Remote Port
Direction (in/out/both)
Allowance (allow/block)

By defining all the above parameters you can precisely allow or block an/several application(s) to send/receive respective packets thru GW.
No further application based control is carried out.
See the rule handling section of GW at the bottom.

So if your app(s) is/are able to communicate in/out it means that your GW has all the valid packet rules needed for the respective application(s).
See the rule 'Loopback' allowing all protocols in/out with all local IPs, local ports and remote ports but for only one remote IP 127.0.0.1.

You could even say GW is not an application based but a protocol based firewall. If you want to receive (pop3 protocol) and send (SMTP protocol) e-mails you have to use 2 specific TCP (out) packets using remote ports 110 (to receive) and 25 (to send).

[feniks]

Thank you xtree - that should clear the second question.

What about first question?

If there is no rule for incoming traffic, then either there is some statefull filtering (remembering the state) even basic like IP and syn out ack syn in (three way handshake) some state table - or if it is stateless then to me it means when outbound communication open a port then the port is just open for any income without any filtering of content what is coming in?

So any started out mean open the same port also to any income without any filtering of the content to check if it belong to the initiated communication?

And when no outbound communication goes on the port - it is closed by the last rule block all?

And if I make rule for some income allow then it will open that port to some income even without initiate any out?

Hopefully I am correct now?

[xtree]

Hi,

when a rule opens a port (in/out/both) it is open all the time not only when you have traffic thru it. Constantly.
The last line saying 'all protocols blocked' is the compulsary ending of packet filtering method. It means that all rules above that line are constantly valid (alive) while all the others below are out of use.
However, you can simply move any of the rules below over the 'block all' line and by doing this that rule will become valid immediately.

If your machine communicates successfully it means you have your rule set adjusted properly.
Without proper rules it would not be able to communicate - like if it was totally blocked.

[Jason_R0]

It isn't a true "stateful inspection" in GhostWall, simply because it uses a bit more resources and isn't needed for most things. It helps in some cases like creating rules for some FTPs and things of that nature, but generally you can get by without it. It doesn't mean it's any less secure, just in some instances it's harder to create a permanent rule to allow certain behaviour. GhostWall's main aim was to be the fastest/least consuming firewall out there, and my tests at the time proved it was #1 in that regard.

GhostWall will be added to GSS soon enough and that will have application control and other things like SPI which will improve upon the few feature limitations of the current version.

[feniks]

Quote:

Originally Posted by Jason_R0

It isn't a true "stateful inspection" in GhostWall, simply because it uses a bit more resources and isn't needed for most things. It helps in some cases like creating rules for some FTPs and things of that nature, but generally you can get by without it. It doesn't mean it's any less secure, just in some instances it's harder to create a permanent rule to allow certain behaviour. GhostWall's main aim was to be the fastest/least consuming firewall out there, and my tests at the time proved it was #1 in that regard.

GhostWall will be added to GSS soon enough and that will have application control and other things like SPI which will improve upon the few feature limitations of the current version.

Thank you for answer Jason_R0. I know that with SPI it is often matter of definition. For me SPI is when firewall is checking packets if they belong to communication initiated by my computer. Then is simply question of how deep the inspection is.

That is why I have the question. I do not want you to say or deny that Ghostwall have SPI or not. For me it is just invitation to pointless discussions of opinions what SPI is.

Like you said "It isn't a true "stateful inspection" in GhostWall" and I think you said that because otherwise you will be attacked by all these "experts".

So can you explain to me how this not true "stateful inspection" in GhostWall works?

I just try to understand how Ghostwall is allowing income commmunication without any rule for incoming. If Ghostwall will be simply based only on rules then everything out will be allowed but everything in will be blocked because I do not have any rule for any incoming.

Just two rules allow all out and under that block all.

When my application is let say updating. It can have out communication to check update because there is rule for allow all out. But then is downloading update and there is no rule for allow any income on any port.

So I still do not understand how Ghostwall is deciding what to allow inbound with no rules for incoming?

[gottadoit]

feniks,
Have you monitored the network traffic and checked whether the download is (or is not) a "new" connection. For a new incoming connection you will see a packet arrive from the remote IP address with a SYN flag set, this flag initiates a "new incoming connection"

If the download was a continuation of the communication that started when the program sent out the version number, I would think that would qualify as not needing an explicit rule to allow the traffic

[feniks]

Quote:

Originally Posted by gottadoit

feniks,
Have you monitored the network traffic and checked whether the download is (or is not) a "new" connection. For a new incoming connection you will see a packet arrive from the remote IP address with a SYN flag set, this flag initiates a "new incoming connection"

If the download was a continuation of the communication that started when the program sent out the version number, I would think that would qualify as not needing an explicit rule to allow the traffic

Thank you for your input.

That is why I had my question because somebody before here on Wilders told me that Ghostwall is stateless firewall and I can not agree with that. Please let me write how I understand it.

For me we have three kinds of firewalls in regards to state.

A Stateful Filtering firewall filters packets of data based on the network connections that are being used. In this way, a stateful firewall allows data packets to traverse known connections and denies all others.

A Stateful Inspection Firewall is a type of Network-level Firewall. They inspect packets passing through open network connections by examing every packet to determine whether they are authorized or not.

A Stateless Filtering firewall filters packets of data regardless of why they are being sent to a system unit. Filtering is performed based on rules that allow/disallow the data packets to pass through the firewall. These rules use parameters such as destination and origination port addresses, protocol types, etc.

So Ghostwall can not be stateless filtering firewall because I do not made any rules for incoming so all income packets should be drop. Only out should be allowed because there is rule to allow that.

However browsing, downloading, etc. with only this one rule is working both ways so Ghostwall must be stateful filtering firewall because remember and allows data packets to traverse known connections and denies all others.

If I use p2p I must have rule for income ports or connections not initiated by me are blocked.

So Ghostwall only accept income in response to a client's initial outbound query, for the specific ports used in that query (stateful).

So for me Ghostwall is stateful filtering firewall. Maybe is not fully stateful inspection firewall (SPI) but can not be stateless.

However maybe it has some session table and inspect the packets in connection to some point - can somebody tell me if that is so?

As I am not expert to determine it myself so that is why I asked how Ghostwall allow income traffic without any rule for income traffic.

[Jason_R0]

GhostWall doesn't block incoming data which the user initiated, it does this by checking packet flags as Gottadoit stated. GhostWall mostly gets involved in the initial stages of the connection, deciding whether to allow or drop. Holding a connection table and having to modify it, etc, is when things start to get slowed down, especially when you're dealing with 1000s of communications a second.

[feniks]

Thank you Jason_R0 for clarification. You have to forgive me guys because I am not too deep into the subject so I need often more explanation.

Happy New Year and thank you.