Knowledge Base Stateless vs Stateful ACL
Background:
This article aims to provide an explanation and comparison between the Stateless and Stateful ACL.
This Article Applies to:
Omada routers with Stateful ACL upgrades.
Term Explanation:
Stateless ACL:
Stateless ACL operates based on static rules to handle traffic. It decides whether to allow traffic based solely on predefined conditions (such as IP address, port number, etc.), without considering the context or previous traffic.
Each packet is checked independently of others. The ACL checks the packet's source and destination IP, port numbers, and other factors to decide whether to allow or deny access. This method does not track the state of the connection, so each traffic check is isolated.
Advantages:
Simpler to implement, and generally faster as it doesn’t require maintaining state information.
Disadvantages:
It cannot handle connection states, so for protocols like TCP (which rely on connection state), it may not be as effective or secure. Attackers can exploit this lack of context to bypass the ACL.
Stateful ACL:
Stateful ACL not only checks the packet’s basic information (such as IP, ports), but also tracks the state of the connection. It maintains a context of the traffic and ensures that packets are part of a valid session.
Stateful ACL keeps a state table, tracking the connection's status (e.g., whether a TCP handshake has occurred). It ensures that packets belong to an established connection (e.g., ensuring that only packets from an active session are allowed). For example, for a TCP connection, it can check the SYN, ACK flags and permit only valid communication.
Advantages:
More secure, particularly for dynamic protocols such as TCP. It can prevent attacks like SYN floods and other types of session hijacking.
Disadvantages:
Potentially lower performance, as it requires maintaining and updating a connection state table and checking each packet more thoroughly.
Key Differences:
How it works:
Stateless ACL: Does not track connection state; each packet is treated independently.
Stateful ACL: Tracks the connection state and only allows packets from active, valid connections.
Use case:
Stateless ACL: Suitable for simple access control where state tracking is not necessary (e.g., basic filtering).
Stateful ACL: Suitable for more complex scenarios where connection tracking is required (e.g., securing TCP connections or handling dynamic protocols).
In Omada router, the stateful ACL can be in the States. It determines the type of stateful ACL rule.
Here is the explanation from the User Guide:
It is recommended to use the default Auto type.
New - Match the connections of the initial state. For example, a SYN packet arrives in a TCP connection, or the router only receives traffic in one direction.
Established - Match the connections that have been established. In other words, the firewall has seen the bidirectional communication of this connection.
Related - Match the associated sub-connections of a main connection, such as a connection to a FTP data channel.
Invalid - Match the connections that do not behave as expected.
Update Logs:
Nov 11th, 2024:
Release of the article.
Recommended Threads:
How to Block Unwanted WAN IP Address from Your Server
How to Configure ACL to Block Unauthorized VPN Clients Bypassing the Portal
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you for your support and contribution to TP-Link Community!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.