Re: [fw-wiz] FW and TCP Sessions

From: Henning Brauer (hb_at_bsws.de)
Date: 06/01/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] FW and TCP Sessions" 
    To: Manoj Kumar Neelapareddy <manojkreddyutl@yahoo.com>
Date: Tue, 1 Jun 2004 15:47:37 +0200

    * Manoj Kumar Neelapareddy <manojkreddyutl@yahoo.com> [2004-06-01 15:15]:
    > if a FW is said to be a stateful firewall, then will
    > it allow a TCP packet to pass through it(outbound), if
    > i haven't sent a TCP SYN to initiate a TCP Session
    > before sending this TCP packet?

    this depends on the implementation.

    In OpenBSD's pf, we evaluate the regular ruleset if there was no match
    in the state table.

    > I heard that Statefull firewall won't allow any TCP
    > packets, other than TCP SYNs to pass through it, if
    > there is no session corresponding a TCP packet is
    > maintained in FW's session table.

    that may be true for some specific implementation, or even with a
    specific ruleset.

    > and FW will create a new session only when it detects
    > a TCP SYN.

    again, this is implementation- and ruleset dependent.

    in pf:
      pass in to $webserver port 80 keep state
    would create state for any packet coming in and destined to $webserver
    port 80, while
      pass in to $webserver port 80 keep state flags S
    would only do so for SYNs. 

    -- 
Henning Brauer, BS Web Services, http://bsws.de
hb@bsws.de - henning@openbsd.org
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Marcus J. Ranum: "Re: [fw-wiz] FW and TCP Sessions"

    Relevant Pages

    • [fw-wiz] FW and TCP Sessions
      ... if a FW is said to be a stateful firewall, ... i haven't sent a TCP SYN to initiate a TCP Session ... before sending this TCP packet? ...
      (Firewall-Wizards)
    • Re: [fw-wiz] FW and TCP Sessions
      ... >if a FW is said to be a stateful firewall, ... >i haven't sent a TCP SYN to initiate a TCP Session ... >before sending this TCP packet? ...
      (Firewall-Wizards)
    • Re: TCP socket - how to get rid?
      ... > TCP packet that can be sent to the signaling a close. ... Yes, theoretically it is possible to sent to peer a packet imitating normal TCP CLOSE, ... Who will set the state of TCP socket in the kernel to FIN-WAIT-1? ...
      (comp.os.linux.networking)
    • Re: ipfw: reset tcp
      ... E>>> When a rule 'reset tcp' matches, a kernel generates new TCP packet. ... E>> ipfw2 uses an mbuf flag to bypass the firewall - I am not sure if i ...
      (freebsd-net)
    • Re: Accessing raw TCP packet payload data
      ... As has already been mentioned you can use raw sockets etc to access this ... a TCP packet, using .NET. ... fit inside a single TCP packet. ... Chris Crowther ...
      (microsoft.public.dotnet.general)