|
Firewall Wizards
mailing list archives
Re: FW and TCP Sessions
From: <firewalladmin () bellsouth net>
Date: Tue, 1 Jun 2004 15:22:45 -0400
Howdy Manoj:
(manojkreddyutl () yahoo com wrote)
if a FW is said to be a stateful firewall, then will
it allow a TCP packet to pass through it(outbound), if
i haven't sent a TCP SYN to initiate a TCP Session
before sending this TCP packet?
Nope. It only allows ACK bits.
I heard that Statefull firewall won't allow any TCP
packets, other than TCP SYNs to pass through it, if
there is no session corresponding a TCP packet is
maintained in FW's session table.
Actually, you need to have other rules/filters allowing traffic of some sort, then return (ack) traffic will be
allowed. For instance, if outgoing http/port 80 traffic is allowed, then as long as it was using stateful inspection
the return packets (say on port 5760) would be allowed without having to create a wide open "allow everything inbound
that has a destination port above 1024" rule. There are many variables involved, however, such as rule order/priority.
The ACK bit is helpful for firewall design and reduces the number of potential filter rules. A filter rule could be
created just allowing incoming TCP packets with the ACK bit set, as these packets should have been originated from the
local network. The caveat to watch for though is forged packets, a common attack vector nowadays. Stateful inspection
is a good thing, but it should be used with smart filtering and application proxies as well.
Hope my long-winded reply was helpful, I could have elaborated further but didn't want to put anyone to sleep. [:o)
Mark
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
- FW and TCP Sessions Manoj Kumar Neelapareddy (Jun 01)
- <Possible follow-ups>
- Re: FW and TCP Sessions firewalladmin (Jun 01)
|
Intro
