Question:

Is Stateless (also known as FwdFast) faster than a normal IP policy? What is it’s intended use?

Answer:

No, Stateless (or FwdFast) is not, as the name may suggest, faster than Allow.

The new name (Stateless) better reflects what such a rule actually does, which is to bypass the Firewall State Engine. This means that a Stateless rule requires a full route look up for each and every packet that triggers this IP Policy.

What a stateless rule do is to immediately forward the packet, bypassing the statefull inspection engine. This is indeed faster for the individual packet. However, since there is no state information regarding the connection, the IP Policy rule and the Routing table have to be consulted for** each and every packet**; this consumes more CPU time than state table look ups for established connections that is normally created for all other IP policy rule types.

The intended use-case for a Stateless rule is mainly go allow traffic between two points that is doing something “odd”. It could be a program or TCP stack that sends packets with incorrect packet order, headers or simply network equipment that cause only part of the conversation between two hosts to be seen by the Firewall. Then a Stateless rule would be needed to allow it. An example would be if the packet flow works in such a way that for the TCP handshake the Firewall would only see the SYN but not the ACK or SYN+ACK.

An example of Stateless rule can be found in article “Using Stateless polices”. (Note: Broken link, to be added)

Note-1: It is recommended NOT to enable logging on FwdFast or Stateless policy rules as cOS Core will generate a log entry for every single packet.

Note-2: None of the above applies for cOS Stream as it is handled differently in the next generation of Clavister operating system as in Stream it does not create a rule + route lookup per packet but rather keeps track of it using a type of Stateless connection. So in some cases in Stream, a Stateless rule may be slightly faster.

Related articles