Whatever Happened to “Do No Harm”?

A long time ago in a podcast far, far away one of the hosts saddled his pony unicorn and started explaining how stateful firewalls work:

Stateful firewall is a way to imply trust… because it’s possible to hijack somebody’s flows […] and if the application changes its port numbers… my source port changes when I’m communicating with my web server - even though I’m connected to port 80, my source port might change from X to Y. Once I let the first one through, I need to track those port changes […]

WAIT, WHAT? Was that guy really trying to say “someone can change a source port number of an established TCP session”?

For the record, you cannot change the port numbers of an established TCP session, and the only way to get different port numbers is by going through another TCP SYN exchange, which would be treated as a totally separate TCP session by either a stateful firewall or host TCP stack.

Also, it’s pretty hard to hijack somebody’s flows unless you’re in the forwarding path, in which case it’s pretty much game over anyway and the stateful firewalls can’t do a thing to stop you.

I totally understand that people make blunders in live sessions (so do I). What I can’t understand is that nobody jumped in and corrected it, or that it didn’t get removed during the final editing.

Why do I care?

It’s very simple – if you have a significant number of readers/listeners who trust you as the source of their technical knowledge, you cannot afford to leave the obvious errors like this one lurking in the wild, because someone might actually believe you without double-checking your claims against something like TCP/IP for Dummies.

Or, in short, I don’t really care what you do, but please do no harm.

Update 2016-01-29

Here’s the response from Greg Ferro… and I totally agree with his summary that security needs a LOT of unnecessary explaining for reasons I don’t entirely understand.


  1. Out of context it's difficult to say, but may be he was tracking, e.g, source IP and trusting a new flow from same IP with old trust from previous flow (from another source port)? So he says ... source port changes ?
    1. I hope he didn't mean what you think he might have - it would be even worse. That was called "lock & key" in Cisco IOS, and no reasonable firewall would use something like that on traffic coming from the (untrusted) outside zone.

      Trusting source IP addresses coming from the Internet == guaranteed fail ;) I don't even have to be in the forwarding path - all I need to do is grab your prefix (or start advertising a more specific one) after you've drilled the hole in the firewall, and I'm in. Thank you very much ;))
    2. Humm.. I had in mind something that requires two TCP connections like FTP where a new connection is allowed as part of an existing one but the statement you quote is unbiased, a source port changing towards a web server.

      I have heard worse things from a major firewall vendor, like SYN+ACK retransmission requiring a matching new SYN from the client.

      To the point of the article, I agree, Podcasters are in a trustable position and should think hard. Listeners: Don't believe everything people say blindly.
    3. I still don't see the "same connection" that triggers your "what???" state in the snippet you quoted. I read it as "same session" and he may beusing more metadata to link them (DPI?).
      Podcasters are not trustable because they post. Trust is a complicated (and abused) quality IMHO.
  2. It's one of the reasons I prefer your linear podcast style to the stream-of-consciousness style. By the time I think "whoa, what did he just say?", it's on to the next thing.
  3. I dont think thats what he was saying. you might be misinterpreting.
    1. I was listening to the whole sequence several times just to be sure... So yeah, I might be misinterpreting.
  4. I think it's saying, state does not equal trust.
Add comment