Is Stateless (also known as FwdFast) faster than a normal IP policy? What is it’s intended use?
No, Stateless (or FwdFast) is not, as the name may suggest, faster than Allow.
The new name (Stateless) better reflects what such a rule actually does, which is to bypass the Firewall State Engine. This means that a Stateless rule requires a full route look up for each and every packet that triggers this IP Policy.
What a stateless rule do is to immediately forward the packet, bypassing the statefull inspection engine. This is indeed faster for the individual packet. However, since there is no state information regarding the connection, the IP Policy rule and the Routing table have to be consulted for** each and every packet**; this consumes more CPU time than state table look ups for established connections that is normally created for all other IP policy rule types.
The intended use-case for a Stateless rule is mainly go allow traffic between two points that is doing something “odd”. It could be a program or TCP stack that sends packets with incorrect packet order, headers or simply network equipment that cause only part of the conversation between two hosts to be seen by the Firewall. Then a Stateless rule would be needed to allow it. An example would be if the packet flow works in such a way that for the TCP handshake the Firewall would only see the SYN but not the ACK or SYN+ACK.
An example of Stateless rule can be found in article “Using Stateless polices”. (Note: Broken link, to be added)
Note-1: It is recommended NOT to enable logging on FwdFast or Stateless policy rules as cOS Core will generate a log entry for every single packet.
Note-2: None of the above applies for cOS Stream as it is handled differently in the next generation of Clavister operating system as in Stream it does not create a rule + route lookup per packet but rather keeps track of it using a type of Stateless connection. So in some cases in Stream, a Stateless rule may be slightly faster.
21 Oct, 2022 core arp routing
12 Apr, 2023 core proxyarp arp ipsec routing
28 Mar, 2023 ikev2 windows vpn routing splittunneling
4 Apr, 2023 core stateless connections
22 Mar, 2021 core ipsec routing
13 Apr, 2023 core routing ospf ipsec
17 Jun, 2021 core ipsec routing
30 Nov, 2022 core routing
1 Jun, 2022 core routing management
25 Nov, 2022 core routing bgp
6 Jul, 2021 core stream tcpsequence sequence stateless
16 Oct, 2023 howto core pbr routing netwall isp
15 Dec, 2022 core routing ospf
7 Nov, 2022 core arp log routing
6 Apr, 2023 core ripv2 routing
17 Mar, 2023 core routing rules ping icmp cli
13 Feb, 2023 ipsec core routing failover
18 Apr, 2023 core routing transparentmode proxyarp