About the TCP SPI in lns

Discussion in 'LnS English Forum' started by Jony327, May 18, 2009.

Thread Status:
Not open for further replies.
  1. Jony327

    Jony327 Registered Member

    Joined:
    May 16, 2009
    Posts:
    3
    I amnot very clear about the mechanism of TCP SPI in lns. Does it start to perform the statful check from the very first SYN-flag in/outbound packet and continue throughout the whole connecting process? IF so, it should block ALL TCP packets which donot belong to the all active connections. In this case, it would be enough for us to block only the inbound initial TCP connections, i.e., the inbound SYN-flag packets. So why do we still need many additional rules for the abnormal TCP packets in the ruleset? Do I understand wrongly about this problem?
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, it does.

    For stand alone packets, not belonging to a TCP connection, yes you are right, some TCP rules checking TCP Flags are normally not required when the TCP Stateful is enabled.
    However, if a packet is belonging to an allowed TCP connection detected by the TCP Stateful, but this packet doesn't have a proper flag combination, these rules will detect this packet (and before it will be checked against the TCP Stateful).

    There are also some rules about IP fragmentation. These rules are not required when the IP Fragmentation is enabled in the advanced options.

    Regards,

    Frederic
     
  3. Jony327

    Jony327 Registered Member

    Joined:
    May 16, 2009
    Posts:
    3
    That means that the TCP stateful itself dosenot block these abnormal-flag packets?
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, the TCP Stateful is very basic and simple, it consists just in detecting new connections (SYN Flag alone), and checking others packets are part of a known connection (through ports and IP address).
    Since it is very easy to create rules for unwanted packets with abnormal flags, it was not required to do it again in the TCP Stateful. Also the ruleset is checked first so a only allowed packets are examined by the TCP Stateful.

    Frederic
     
  5. Jony327

    Jony327 Registered Member

    Joined:
    May 16, 2009
    Posts:
    3
    Thank you very much for your reply.:)
     
Thread Status:
Not open for further replies.