LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the six main disadvantages of pure packet filters?

Packet filters are fast and simple, but they're stateless, blind to application content, and easily fooled by spoofed flags or dynamic ports.

The six disadvantages:

# Disadvantage Concrete example
1 Difficult to configure Hundreds of rules; one mis-ordering breaks everything
2 Problems with FTP (and similar protocols) FTP-Data uses an incoming connection on a dynamically negotiated port
3 Each packet checked in isolation — no memory of previous packets Can't tell "this ACK is legitimate" from "this ACK is forged"
4 Problems with dynamic-port protocols SIP, RPC, FTP-passive — port chosen at runtime, can't pre-allow
5 Vulnerable to specific attacks Spoofed source ports (20, 53), spoofed source IPs, ACK floods
6 Packet content (data payload) is NOT inspected Malware in HTTP body passes through if HTTP is allowed

The FTP problem in detail:

Client (10.0.0.5)             Server (203.0.113.5)
  │                              │
  ├─ TCP/21 ───────────────────→ │  Control: "I want a file"
  │                              │
  │ ←──────────────── TCP/20-←──┤  Data: server connects BACK to client
  │                                  on a port chosen at runtime!

The data channel is an incoming connection from the server to the client on a port the server picks. A static packet filter can't predict that port → either you open all high ports (terrible) or FTP doesn't work.

The "spoofed Source Port 20" attack:

If your firewall allows "any traffic with source port 20" (because that's "FTP data replies"), an attacker can spoof source port 20 on packets from anywhere to bypass your rules. Packet filters can't detect this — they just see the port label.

The "ACK without SYN" attack:

An attacker sends a TCP packet with only the ACK flag set. To a stateless packet filter rule that allows ACK packets, this looks legitimate. The internal host responds with RST (since there's no matching connection). The attacker uses the RST/no-RST distinction to map your network without ever completing a handshake.

Tip: All six issues are why stateful inspection was invented and why pure packet filters are now mostly used as a first stage in front of more sophisticated firewalls. They're great at high-volume coarse filtering (drop obvious garbage) but inadequate as the only defense.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026