Stateful Packet Inspection problems!

Firstly you get what you asked; you should have been specific in your post, then I probably would have replied to suit you.

In any case what makes a true “Software Firewall” is the packet filtering, hey Jim did you ever see a Software Firewall without Packet filtering?

Man I don’t know what the heck you going on about but anyways basic, full SPI discussions is irrelevant to this topic.

Let me tell you something; I’ve been using number of “Personal Software Firewalls” lately and thoroughly testing its SPI Feature with p2p Software among other things WITHOUT any system delays/freezes or FW Applications Delays/Freezes. And guess what else? Ideal thing for p2p Software and does NOT provide any Monitored/Allowed connection restrictions…

irrelevant personal remark removed - paul

It’s okay to make excuses for Look ‘n’ Stop, god help me I have many times but I’m tired now..irrelevant and personal remark removed and not allowed - paul

As for any further discussions on this topic for myself is not necessary, I made my point and that is it!

Bests Regards,

 

quoted irrelevant personal remark removed - paul

First, you are wrong, i know deeply this subject and modify my Linux kernel accordingly and set it up in user land far deeply than you can probably imagine...
Second, i don't see where from what i have said you can see that i know nothing about SPI, you can just said we have different opinions.

I was hoping to not fall in this kind of discussion, i have nothing to add in a discussion where i provide arguments and where in return people try to bash me.

I said my points, nothing to add.

 

Hey guys I do have no idea of spi but I would like LnS to stay topnotch getting rid of this limit thing.

Frederic, please look into it

Ruben

 

why not making a rule for allow SPI with few applications only?

a standart NAT can handle 25000 connections, you are a bit short with your array of 128 entry

 

The default under Netfilter is 16376
(and for a whole LAN, here we talk about a single computer, you can't really compare )
Of course you can increase it if you have a very good server.

I think the difference is that you use your computer for something else too, it isn't dedicated to SPI.
But i agree that we could try to increase the current number on Look'n'Stop, at least may be to do a special beta that people who want can try.

About your idea to only use SPI for particular applications, it sounds good, we could specify an app, let's say a P2P prog, and entries about it would not be written in the connection tracking buffer/file. So, at the other side, when packet are coming back, they would not be automatically allowed (because not tracked) and would need a specific rule that we all know, like allow incomming packets on P2P ports when the app is running.

So increase the number of connections being tracked and/or switch on/off SPI for particulars apps are good ideas i think

EDIT : may it is not easy to link traffic owned by apps if the SPI is only done by the driver at network layer, only Frederic can tell.

 

I absolutely disagree!

VisNetic Firewall IS a Personal Firewall and some; it isn’t Application-based Personal Firewall no, do the research and you’ll see. And this also applies for 8Signs Firewall, and as I said do the research and you’ll see.

Just because something only offers Packet Filtering Layer, doesn’t necessary mean it isn’t a Personal Firewall.

 

I was just talking with my criteria, if you use yours, you can call it whatever how you want, it still doesn't have outbound application filtering, period.

 

You must be Software Firewall expert more so then James Grant? Because he says it’s a Personal Firewall….

Just because it’s not Application-Based Personal Firewall, it is still Personal Firewall!

 

It is not a matter of to be more expert than someone else or not, *I* assume that a home user for _personal_ use needs an application filtering, and that in enterprise or firm (where i already worked) you put on a server (generally a gateway) a firewall without application filtering, because it isn't a personal computer for personal use.
So you can throw me all your experts, you can past my sentence and give them.

Now, you perfectly know that english isn't my native language, and if you want to play on words, you will always win.
So if you have something against me, use PMs instead, if not, stay back on topic, i would be really gratefull to you for that.

Thanks you.

 

A Personal Firewall WITH TCP Stateful Packet Inspection that has no limitation of simultaneous connections, and there are absolutely no problems with use of p2p Software. In-fact I’ve tested quite a few Software Firewalls for Windows with SPI and with no limitation of simultaneous connections, and no problems with use of p2p Software!

 

Thank you gkweb!

The clarity of this post is what I respect... Again Thanks!

 

Enjoy the cookie gkweb! Again most appreciated!

 

The security expert said: "a good firewall MUST HAVE Stateful packet inspection"

In the case we are in a compagny with around 100 computers on a NAT or in the case with use a P2P software or some client application who use massive SQL query, so each user must take a ticket for make a TCP connection with looknstop and SPI enable when the 64 or 128 entry are full? lol

 

I would like to know the names of your so called "expert".
SPI is a feature, a good one i totally agree, but i have never heard that the firewalls without SPI was bad firewalls.

If i believe a real firewall expert, Robert L.Ziegler, SPI has a lot of issues and scalability problems, and not every corporate network use them, to use a stateless firewall is in many cases (not all) better than a statefull one.
If however it is possible to use it, it might improve security, but for sure it will ask more work from the admin, because in the case the SPI table entries is timed out (althought the connection is still alive) a "hard coded" _additional_ filter rules is needed to anyway accept the connection in case of SPI failure, you can't in firm allow the possibility that your VPN connection will be unexpectedly terminated while transferring critical files.

So to sume up, you have to use a stateless firewall start ruleset which can handle every traffic you want to allow, and then, if your computer power allows it, to activate SPI over it.
If you do not, and if the SPI has a failure, the default policy will be called and your connection will be probably dropped, which can be critical in corporation.

To say SPI is an awesome feature, really great and interesting, very powerfull, is ok.
But to say that to not use it is BAD, that you "MUST" use it, if not you have a BAD firewall, is senseless, and i doubt any expert would say that.
May be you don't know, but many routers for personal use locks up when handling P2P traffic.
May be you still don't know that many routers company has removed the SPI feature from their router firmware because they were causing too much issues to their customers.

Then, all experts apart, if you think a little by yourself, you can probably see that not the SPI in itself, but the implemention (the way to build it into the software) is not that easy.
Users computers power can be from the lowest to the highest, from Pentium III 500Mhz to P4 3.2Ghz, and to simply add a SPI which can handle 10 000 connections instead of 128 will break the weakest computers users, may be *you* don't care, but a firewall vendor for home users can't do it that way.
A computer can have 128Mo RAM or 1Go (even more) and should the 128Mo user take a BSOD because he "must" upgrade ?

I know Phant0m is a power user and has a very good computer

Here we talk about a product which has to work on every computer in any cases, not a single gateway packet filter which will work on a big server. If Look'n'Stop is meant to be used as well as in corporate gateway and in personal home computer, then may be indeed Look'n'Stop should provide an option "corporate / not corporate", but i think it is not what you would like, you just want Look'n'Stop handling P2P traffic on *your* computer.


Now, please read this : we can throw us as many experts as it exists on the earth, even them do NOT agree, this is why i read their comments, but that i rather think by myself instead of being a quoting robot. Saying expert "xxx" said that won't solve our current problem.

You can play chit-chat as much as you want, we will just won't go anywhere. Why ? because in a respectfull manner, i would rather say i have this or this problem, i would like that this product be improved that way, to work like this, is this will be done, will it be a special beta just to test huge ammount of connection in SPI, but certainly not to attack people as well as the firewall vendors and other LnS users for their _opinion_ on the subject, telling them that if they don't think what an expert thinks they are wrong and idiot.


For every software i use, i report politely bugs and ask my personal feature request. When other users comments my requests, i discuss with them, i share my ideas, and often the next software version is improved and better, and all is fine.

This thread is all BUT that, so obviously it will lead to nothing good, and for sure you won't have official answers, but hey, may be it isn't what you want ?




If someone want to get back on topic and to continue this thread in a respectfull manner, and respect others forums reader/writer and Look'n'Stop users, the subject is "Stateful Packet Inspection problems" with _Look'n'Stop_, what are yours ideas, how would you like to see LnS SPI improved, etc...

 

I agree that I didn't study the complexity to implement SPI feature but if the only problem is CPU power so you can do different version of looknstop, a server, a home user, etc... but if you are a crafty programmer, you can let the user to set the minimum and maximum SPI connection he want in function to his processor speed and memory size.
I have a P133 with 64 Mo of Ram so you will do a special version for me or you will decrease SPI of 128 to 32 ?

About SPI, an interesting thing to do is to see what other product offer like Isa Server 2000, Cisco PIX, Checkpoint firewall, etc...
This is expensive firewall (around 4000 euros) but why they are so expensive ?

 

an interesting idea, i don't know however what would Fredric thinks of it, but i think to have a server version without application filtering and with a SPI able to handle a lot of connection would be great, why not a special beta ?

about the current home user version, i would like an option "activate full SPI" and by clinking it, a popup warning the user of ressources requirements while using P2P applications etc...

a good deal between low ressouces computers and power users
(just my opinion thought)

Cisco and checkpoint are very famous router and firewall brand, they are in networking since many years and have products very reliable (in corporations you will see a lot of 3com, Cisco, and Checkpoint products).

The price is often indeed expensive, but i think it is because their products are supposed to never locks up whatever the traffic flow, and are made by a well known brand which have many years of experience, may be....

In fact i don't know, ask them

 

You are definitely not getting anymore cookies from me!

gkweb how often you ever see me post on here about bugs/issues with Look ‘n’ Stop? Very rare I do so; I prefer E-mailing and which I have been doing on this subject for months since the very beginning of TCP SPI implementation. And finally I just decided to take this to the forum, because I needed user-feedback on this, because I’ve been told over and over that that I’m the only one coming forth about this when indeed throughout this people on the English AND French forums were experiencing the same problems. And if it wasn’t for you posting in a manner you done so in response to others posts, I could have quite a number of users posting but see you intimidated them and I know this very well because I have E-mails, ICQ and MSN Messages that I’ve been reading. And just thinking of future TCP SPI topic readers who possibly feel the same way and not post, makes me tad bit frustrated since this is what I want in the first place is users-feedback!

OK so these people who been experiencing TCP SPI issues and posts about it on Look ‘n’ Stop Forums gets told by the a vendor or someone else to disable the Look ‘n’ Stop “TCP SPI” feature and so they do so, normally no questions ask EVEN though they don’t know what TCP SPI is and the purpose for it. And there is much to TCP SPI which I won’t get into, but to make this simple TCP SPI will block all incoming "unsolicited” packets. And to simply point out specifically a type of incoming "unsolicited" packets that requires TCP Stateful Packet Inspection for protection is TCP packets with ACK Flag set. This is problem with all Packet Filtering systems that doesn’t offer TCP SPI; this isn’t a fairy tale, this is fact.

 

i'm sorry if you take something for you Phant0m, all my last posts were for Cryptic.

About feedback, to suggest idea and explain his own needs is feedback, to attack other people or the product itself isn't feedback.

I'm sure you perfectly know that *I* don't attack people, i help them, and i know people know it.
But to say that when someone attack a product and when i react, i am sudenly a bad guy is a nonsense.
Me too i have emails/MSN/voice chat of people thanking me, but unlike you, i don't create imaginary bad guy on this forum, if there is, it's certainly not me.

Honnest people wanting to give their ideas _knowns_ they can, but you actually, trying to show me as someone i am not, is something i don't really appreciate, and is totally out of topic. You have already threats me to "hammered" me in previous post, and you actually do it, indeed.

A forum is to share ideas, and if when i see people a bit rude i can't explain them why they shouldn't be rude (so to keep peace on forum), it's a total nonsense as i said.

May be bad guys aren't those you believe Phant0m, i'm sorry that once again you do all that you can to disturn the thread, really sad.

 

Let look at an example of a response of course to FuBaSh...

Little remarks may not be big thing to you, but doesn't necessary mean it isn’t to others...

gkweb I’m not sure how you can expect other people to stay on topic when you bring additional posts that shows you moving further off topic…

 

Phant0m, too much is too much, you will stop that now !

to do partial quoting is the easiest way to make people saying what they didn't say, and out of context, it means nothing.

So stop now this childish chit-chat

You did have my feedback, you don't like it, and you attack me, it tells everything about WHO you are.

Stop that now, i am getting f** up of your child behaviour.

 

Hot Topic Quite interesting to see the views of each

KARMA for GKWEB and PHANTOM

 

Phat0m all the way for some reason !