A long time ago in a podcast far, far away one of the hosts saddled his pony unicorn and started explaining how stateful firewalls work:
Stateful firewall is a way to imply trust… because it’s possible to hijack somebody’s flows […] and if the application changes its port numbers… my source port changes when I’m communicating with my web server - even though I’m connected to port 80, my source port might change from X to Y. Once I let the first one through, I need to track those port changes […]
WAIT, WHAT? Was that guy really trying to say “someone can change a source port number of an established TCP session”?
For the record, you cannot change the port numbers of an established TCP session, and the only way to get different port numbers is by going through another TCP SYN exchange, which would be treated as a totally separate TCP session by either a stateful firewall or host TCP stack.
Also, it’s pretty hard to hijack somebody’s flows unless you’re in the forwarding path, in which case it’s pretty much game over anyway and the stateful firewalls can’t do a thing to stop you.
I totally understand that people make blunders in live sessions (so do I). What I can’t understand is that nobody jumped in and corrected it, or that it didn’t get removed during the final editing.
Why do I care?
It’s very simple – if you have a significant number of readers/listeners who trust you as the source of their technical knowledge, you cannot afford to leave the obvious errors like this one lurking in the wild, because someone might actually believe you without double-checking your claims against something like TCP/IP for Dummies.
Or, in short, I don’t really care what you do, but please do no harm.
Here’s the response from Greg Ferro… and I totally agree with his summary that security needs a LOT of unnecessary explaining for reasons I don’t entirely understand.