1. Technical Field
The subject matter described herein generally relates to the field of firewalls and, in particular, to determining (without using a network) whether a firewall will block a particular network packet.
2. Background Information
A firewall receives network packets and processes them according to a set of rules. In particular, a firewall determines whether to block a received network packet or allow the received network packet to pass through the firewall. A stateful firewall maintains a connection state table that indicates the state of network connections (e.g., Transmission Control Protocol (TCP) streams or User Datagram Protocol (UDP) communication) traveling across the firewall. A stateful firewall processes a network packet based on rules and based on the connection state table. For example, if the connection state table includes an entry for a particular active network session, then a network packet associated with that session is automatically allowed to pass through the firewall.
A stateful firewall's rules can change over time, such that a network packet allowed through the firewall based on the old rules should now be blocked based on the new rules. However, if that network packet is associated with an active session represented by an entry in the connection state table, then that packet will be allowed through the firewall even though it violates the new rules. So, after a rule change, there are two options: One option is to drop all network connections (e.g., by clearing the connection state table). This first option is secure but can significantly disrupt executing applications. Another option is to continue allowing active network connections that were allowed under the old rules. This second option is a breach of the new rules, but executing applications are not affected.