Firewall=SPI (Stateful Packet Inspection)?

[Kritiker]

The specifications for the RT-AC66U state:

Firewall: SPI intrusion detection, DoS protection

and in the router's web interface, under Firewall | General, I see

Firewall: Yes/No
Enable DoS protection: Yes/No
Logged packet types: select
Respond Ping Request from WAN: Yes/No

Since I see no other place where I can enable/disable SPI (Stateful Packet Inspection), I wonder whether the Firewall mentioned here is the SPI, includes it, or does not include it.

Another way of asking this might be whether SPI can be enabled/disabled separately at all or just with the entire firewall.

To me, it almost looks as if the term Firewall is used here first to refer to the four functions: Enable SPI, Enable DoS protection, Logged packet type and Respond Ping Request from WAN plus the features on the other tabs: URL filtering, Keyword filtering and Network Services filtering and and then to refer to SPI alone, i.e., that Enable SPI has been mislabeled Enable Firewall.

Have I got it all wrong?

 

[RMerlin]

This description is probably misleading.

SPI means that the firewall keeps track of the state of every connections, and will apply rules based on this. This is done by iptable. The router will distinguish a packet sent to a connection that is tracked as being ESTABLISHED versus one sent to a port that has no established connections (in which case it will drop it).

This is what these rules will do, for example:

DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

So yes, the Firewall option is what controls SPI.

I suspect that the Intrusion Detection is marketing speak for "the router will log packets that are sent to non-opened ports as they might be intrusion attempts". This must not be confused with real IPS (Intrusion Prevention System), which relies on a signature database to detect attempts at exploiting known vulnerabilities. That kind of feature is usually only available in enterprise products.

 

[Kritiker]

When you say this description is probably misleading, to which description are you referring, my suggestion of mislabeling or ???

I am still unclear. Does

Enable Firewall Yes/No

enable/disable just SPI or does it enable/disable more? If so, what?

I disabled the Firewall using this setting and not much in any of the tabs (that I noticed) under Advanced Settings | Firewall seemed to change. Respond Ping Request from WAN is greyed out when the Firewall is disabled and not greyed out when the Firewall is enabled. I don't know if this changes the Respond Ping Request from WAN or just prevents its being changed. Other Firewall features still had to be (could be) enabled/disabled separately, so the Enable Firewall selector doesn't seem to affect the whole Firewall.

In the past, my routers have all had the ability to turn SPI on/off, separately and I was surprised not to see that option here and I wondered if this was actually it. In fact, I would have expected to see an Enable SPI Yes/No selector at exactly this spot in the router's web interface.

I am trying to understand what these settings actually do on this router and what the implications are. The manual skips over the entire topic of Firewalls.

So far, I am liking this router and the features it has. In particular, I am trying to develop a better understanding of how the Respond Ping Request from WAN (which I have used for years), enable Web Access from WAN (which is new to me and somewhat worrisome), the Firewall (including SPI (which I have always used)) and the services the router can provide to me from outside my own network (new to me) interact and what security risks using these services brings. But I have more reading to do before I can ask any of those questions. The manual is remarkably silent on these topics too, as far as I can tell.

I am running stock 3.0.0.4.260 right now.

Oh and I thought the intrusion detection above just referred to the router's SPI feature, nothing more.

Addendum:

When Enable Firewall is set to No, the router responds to pings from the WAN even if the (now greyed out) Respond Ping Request from WAN was set to, and now displays, No. Also the Logged packets type selector is greyed out but left at whatever it was set to. So Enable Firewall certainly controls more than just SPI.

So, one must conclude that a greyed out setting, meaning that one cannot change it, does not necessarily indicate the correct state of the setting. I find that disturbing. Perhaps I am expecting too much?

 

[RMerlin]

When you say this description is probably misleading, to which description are you referring, my suggestion of mislabeling or ???

I meant Asus's description, sorry.

I am still unclear. Does enable/disable just SPI or does it enable/disable more? If so, what?

Try disabling it, then connect through telnet to see what firewall rules are applied:

iptables -L

You will see if the rules related to connection states such as what I posted are still there.

So far, I am liking this router and the features it has. In particular, I am trying to develop a better understanding of how the Respond Ping Request from WAN (which I have used for years)

If that option is enabled, it means that when someone pings your public IP, your router will return an echo response.

When disabled, the firewall will silently ignore the packet, so people pinging your IP will get a "request timed out", meaning they can't tell if there is something connected to that IP or not.

Some online games require you to be pingable for example, so you will need to enable that option in those cases.

enable Web Access from WAN (which is new to me and somewhat worrisome)

Some people need to be able to remotely access their router to configure it. Not the safest thing to leave enabeld indeed, but if you had someone who is not techno-savvy requiring your help in configuring their router's wireless, you could have them temporarily enable that option, allowing you to remotely configure their router. You still need to know the router's username and password to access it.

Oh and I thought the intrusion detection above just referred to the router's SPI feature, nothing more.

That's the part I meant is kinda confusing, if not misleading. People see "intrusion detection" and think about some advanced IPS, which it ain't.

 

[Kritiker]

You are too fast for me. I made a couple of changes to my posting while you were replying to me. I miss the strikethrough on this forum - that would have made it easier for me to indicate changes.

I will now digest your response(s) more fully. Thanks.

Oh and I will dust off my Telnet program. I know I have it here, somewhere.