Stateful Packet Inspection problems!

Discussion in 'LnS English Forum' started by Phant0m, Mar 2, 2004.

Thread Status:
Not open for further replies.
  1. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    TCP SPI is designed slightly differently then how I see in other Software Firewalls, truth be told this slight difference in this design that been implemented in Look ‘n’ Stop isn’t good thing.

    How long will be required to fix this problem? How long must i keep that crucial feature disabled?
     
  2. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Do I need to even go there?

    TCP SPI...

    gimme gimme gimme.... but it's deactivated for now... slight problem with it. I have to agree with phant0m.

    Anything on this Frederic?
     
  3. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    Hi Phant0m`` ! Could you please explain to me what's wrong with that? And why you've been keeping it disabled?
    Thx!
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey manuangi

    I’ll explain to you since you’ve appear to not seen my previous posts and of course not seen my E-mails on this subject;

    Look ‘n’ Stop offers restrictions of maximum number of monitored/allowed connections, 64 was how many before v2.05b2, so now its 128. This increase does zip for me, the only Software Firewall I’ve seen to provide these types of restrictions. It does offer some benefits, but the benefits are far less important to me.
     
  5. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    thanks!
    I'd actually read about that, but was not sure it was the topic you've been discussing here, I couldn't understand it from your 1st post..

    :doubt: (sorry)
     
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You weren’t actually meant to, this is directed to Frederic and Frederic knows about the anomaly perfectly.
     
  7. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    teehee theeheheheh :D
     
  8. manuangi

    manuangi Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    148
    Location:
    Italy
    [OT]
    right...but remember that other users may read your words...as I did...if you want to talk to Frederic only, use PMs instead... ;)

    (I don't want to hurt you, you're a friend!)
    [/OT]
     
  9. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    teehee teehehehe teeheee :D
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    The way I choose to direct Frederic about Look ‘n’ Stop is my choice and my choice alone, and if I want to talk to Frederic only I can do so simply ignore everyone else who invades on this topic. ;)
     
  11. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    OHH OHHH OHHHHH can I say something ?

    teeheee teehee teeheheheh :D
     
  12. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Frederic - any news on that one?? Any fixes o_O

    Ruben
     
  13. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    This behaviour is by design, so no fix is really to be expected.
    However, perhaps we will change the design in a future version to remove this limitation.
    Normally it only affect P2P application which opens a lot of simultaneous TCP ports.

    Frederic
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I know a SPI which can handle all connections from a P2P program... it is NetFilter Linux firewall _on a dedicated server_ (with his own CPU, memory, etc...).

    If you want your personal firewall to handle such amount of traffic, but at same time to still be able to use your computer, you should expect a large increase of mem usage and CPU usage, and a little research from Frederic to find a way to not lock up the computer.
    SPI was first created (as far as i know) to handle all network connections from a LAN to the Internet, on, a dedicated computer/router.
    Such feature has been well built in into Look'n'Stop, and to make it work with P2P is i think a hard task.
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I like Look ‘n’ Stop a lot but it comes down to it, this Software Firewall is telling me what I’m authorized to run and do. I’ve been more then patient, every since TCP SPI been implemented into Look ‘n’ Stop I’ve been wanting this problem resolved, but now It is about time I use another Software Firewall with properly functional Stateful Packet Inspection Feature, and from what I see there are good variety.

    It is not easy for me to say these things; you couldn’t see a more dedicated Look ‘n’ Stop user than me. I’ve been so since the day I begin using Look ‘n’ Stop in Jan 13, 2002, what I’ll do is take a spell away from Look ‘n’ Stop and perhaps if I don’t become attach to whatever times Look ‘n’ Stop TCP SPI improves I’ll return.

    Regards,
     
  16. Phill

    Phill Registered Member

    Joined:
    Oct 4, 2003
    Posts:
    17
    I too have been suffering from this *anomally Frederic. Sometimes my log gets full of statefulll packet blocks, and it eventually stops me surfing. I too would like to see a fix for this as soon as possible as surfing without SPI seems to defeat the object.

    Thanks.
     
  17. MrX

    MrX Guest

    Reason I installed and registered Look n Stop because of Phant0m.
    From the reading I had been doing I know I’m surely not the only one.
    I can sympathize with Phant0m, I too have been also experiencing problems with LNS TCP SPI and must disable just to continue my normal activities, and from what I read Frederic design of this feature is indeed different from other software firewalls I’ve used with SPI.
    It is clear why there is a limitation here, to avoid possible memory consumption. And I’m not saying this doesn’t make sense especially depending on the design but I’ve used many software firewalls with SPI that working perfectly and no noticeable slowdowns on system or internet performances regardless of how many connections there are.
    And my opinions are this firewall is only half as good without Phant0m, and I’m jumping ships along with.

    Bests wishes to all!
     
  18. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Please note that there was a bug in 2.04 and 2.05b1 versions about TCP SPI: sometimes, some incoming connections were rejected. This problem has been fixed in the 2.05b2 and is different from the limitation of the number of TCP simultaneous connections.
    However the symptoms are very similar.

    I know the limitation is still an issue, especially for persons using P2P applications.

    Frederic
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @MrX

    can you quote firewalls names having the SPI feature ??

    SPI is known to be available in routers or in Linux, but in windows personal
    firewalls i don't rememeber to have seen it, thought i could have miss it, i don't remember to have seen like in Look'n'Stop a checkbox with "enable SPI", can you shed some light on many firewalls names having such feature ?
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey guys

    Hey gkweb

    Where have you been? There are number of today’s Software Firewalls that offers at the minimum TCP SPI capabilities such as Sygate Personal Firewall, Advanced Firewall aka Ambra Firewall aka VisNetic Firewall aka 8Signs Firewall… :D
     

    Attached Files:

  21. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    .
     

    Attached Files:

  22. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    .
     

    Attached Files:

  23. FuBaSh

    FuBaSh Registered Member

    Joined:
    Nov 1, 2003
    Posts:
    5
    @Frederic

    I've had my share of problems with the SPI feature too. I was forced to choose between turning off SPI which would greatly decrease my firewall security effectiveness or be brutally raped by TCP Packet as seen below (will be kept on server for a few weeks unless notified otherwise):

    http://my.sanbrunocable.com/fubash/TCP_SPI.gif

    Please fix this limitation problem up Fred! Btw, the picture above shows LNS v2.05b2. However, the problem exists in all versions that I've seen.
     
  24. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Visnetic is NOT a personal firewall for home user, but a packet filter for servers (it has no outbound application filtering) so a full SPI can be implemented easily on a dedicated server (dedicated CPU + Memory).

    So about personals firewalls, Sygate (from their website) has a basic SPI not a full SPI, and does not support ICMP.
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @FuBash

    It has been said plenty of time, and unless you didn't read a single post of this forum, you must know that SPI isn't compatible with all P2P softwares, which turn your computer in a server with heavy traffic.

    SPI basically (as i said but i say it again) was to be on a dedicated server to handle LAN connections, if you take a 50 computer LAN with each 10 connections (while surfing the Internet) then you have 500 connections handled by a dedicated server.
    But P2P software, like eMule you use, can make jump your pending connections to +1500, nothing to do with a normal "home user" or client computer use, it turns your computer on a server with an amazing number of connections.
    If Look'n'Stop had a conection limit to 2000 and not to 128, i guess your computer would be totally unusable, in one hand eMule consuming all your bandwidth and in the other hand Look'n'Stop eating all your CPU and memory to check in real time 2000 connections.

    Did you know that even real full SPI was burst by P2P traffic ?
    Yea really, there is hardware routers which simply locks up over 300 or 500 conections.

    Now that you know all of that, you can see that in one hand to do a real full SPI to handle so much traffic isn't so obvious even on a dedicated hardware, so on *you* computer already used by Windows and by other applications it is even worst.

    May be it is possible to add, but even if under so hard conditions it would be, i don't see what it would worth something because someone to who you connect using eMule, could use the traffic caracteristics (dst IP, src port etc...) to simply flood you and DoS you using allowed criteria by the SPI (the incomming traffic would be a come back of something you have initiated).

    If you just browse the web and SPI blocks you, ok, it has to be fixed, but if you use P2P, just temporarly disable SPI, it is not meant to handle P2P.
     
Thread Status:
Not open for further replies.