A SYN filtering strategy works extremely well for TCP. The only change we advocate to protocol designers and implementors is that TCP-based protocols should never require applications to open a back-channel connection. The problem here is obvious: a request-response filter allows a SYN packet to go out through the firewall but drops the SYN packet by which the external host requests a back-channel. Although a TCP connection originating from outside the firewall might be an application-level ``response'' to an FTP or rsh request originating within the firewall, a stateless packet filter has no way of knowing this.
Protocols like FTP and rsh use back-channels to create an additional
connection over which an application can send a data stream that is, at
the application level, asynchronous or conceptually separate from the
``main'' application connection. FTP uses a back-channel to separate
command and data streams; rsh does it to separate UNIX stdout and
stderr. Where a service requires additional TCP connections to
implement the desired application semantics, we see no reason why those
additional connections must be opened by the server. The same effect
can be obtained by having the server bind a local socket, find the local
port number, send that port number in an application-level message to
the client, and start a passive TCP open. The client then initiates an
active open to the specified port on the server which is waiting for the
client machine to connect.
The
result is functionally identical to having the server establish a
channel to the client but without requiring a SYN packet from the server
through the firewall.
However, replacing TCP back-channels with active connections is not an adequate solution for X, where the roles of client and server are reversed. There is no channel between the X server and any external process over which external clients can bootstrap connections. Addressing this version of the back-channel problem without using an application-level gateway would therefore require far-reaching changes to the X window protocol and is an area for future research.