Packet in the state of user space
As mentioned earlier, the state of the package is different depending on the protocol contained in IP, but outside the kernel, that is, only 4 states: New, Established, Related, and Invalid. They are mainly used with status matching. The following statements are briefly introduced:
Table 4-1. Packet in the state of user space
State Explanation NEWNEW Description This package is the first package we have seen. Means, this is a connection first package that the Concentrack module sees, which is about to be matched. For example, we see a SYN package, which is the first package we pay attention to, just match it. The first package may not be an SYN package, but it will still be considered a new state. Doing so sometimes leads to some problems, but it is very helpful for some situations. For example, when we want to restore a connection from another firewall, or a connection has timeout, but it is actually not closed. EstablishedStablished has noticed data transfer in both directions, and will continue to match this connection package. Connections in the Established state are very easy to understand. Just send and receive a response, the connection is Establish. A connection is going to be Established from the New, just need to receive a response package, whether this package is sent to the firewall, or by firewall forward. ICMP errors and redirects and other packets are also seen as Established, as long as they are the response of our information. RelatedRelated is a more troublesome state. When a connection is a connection and a connection that is already in the ESTABLISHED state, it is considered to be related. In other words, if a connection wants to be related, you must first have an ESTABLISHED connection. This ESTABLISHED connection generates a connection other than the main connection. This new connection is Related, of course, the connTrack module can understand the Related. FTP is a good example, FTP-DATA connection is RELATED with FTP-Control. There are other examples, such as DCC connection through IRC. With this state, ICMP response, FTP transmission, DCC, etc. can only work through the firewall. Note that most of the UDP protocols rely on this mechanism. These protocols are very complicated, they put the connection information in the packet and require that this information can be correctly understood. InvalidInvalid Description Packet cannot be identified which connection or no status is. Several reasons can be produced, for example, memory overflow, received ICMP error messages that do not know which connection belongs to. Generally, our Drop is in this state.
These states can be used together in order to match the packet. This makes our firewall very strong and effective. Previously, we often open all ports of 1024 or more to release the data of the response. Now, there is a state mechanism, you don't have to do this again. Because we can only open those ports with answering data, others can close. This is too safe.
