LANCOM Reference Manual LCOS 3.50 ̈ Chapter 8: Firewall
110
Firewall
it is expecting the connection. The server will establish as a result from its port
20 a connection to the desired port of the client.
To enable this process, the administrator of the packet filter must open all
ports for incoming connections, because he does not know in advance for
which port the client will inquire the FTP connection. An alternative is to use
passive FTP. Thereby, the client establishes the connection itself to the server
over a particular port, which was told to the server before. This process is,
however, not supported by all clients/servers.
If we furthermore compare the Firewall with a porter, this door keeper only
checks, whether he knows or not the courier with the packet at the door. If
the courier is known and came ever into the building before, he has the per-
mission to go in without hindrance and without being checked also for all fol-
lowing orders up to the workplace of the addressee.
Stateful Packet Inspection
Stateful Packet Inspection (SPI), or briefly Stateful Inspection, enhances the
packet filter approach by checking further connection state information.
Beside the more static table with the permitted ports and address ranges, a
dynamic table will be kept up in this variant, in which information about the
connection state of the individual connections is held. This dynamic table ena-
bles to first block all endangered ports, and to selectively open only if required
a port for a permitted connection (adjusted by source and destination
address). The opening of ports is always made from the protected network to
the unprotected one, that means mostly from LAN to WAN (Internet). Data
Source port 4321
Destination
port 21
Destination port 4322
Source port 20
Client Server