Re: [fw-wiz] FW and TCP Sessions

firewalladmin_at_bellsouth.net
Date: 06/01/04

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)" 
    To: Manoj Kumar Neelapareddy <manojkreddyutl@yahoo.com>, 
Date: Tue, 1 Jun 2004 15:22:45 -0400

    Howdy Manoj:

    (manojkreddyutl@yahoo.com wrote)
    > if a FW is said to be a stateful firewall, then will
    > it allow a TCP packet to pass through it(outbound), if
    > i haven't sent a TCP SYN to initiate a TCP Session
    > before sending this TCP packet?

    Nope. It only allows ACK bits.

    > I heard that Statefull firewall won't allow any TCP
    > packets, other than TCP SYNs to pass through it, if
    > there is no session corresponding a TCP packet is
    > maintained in FW's session table.

    Actually, you need to have other rules/filters allowing traffic of some sort, then return (ack) traffic will be allowed. For instance, if outgoing http/port 80 traffic is allowed, then as long as it was using stateful inspection the return packets (say on port 5760) would be allowed without having to create a wide open "allow everything inbound that has a destination port above 1024" rule. There are many variables involved, however, such as rule order/priority. The ACK bit is helpful for firewall design and reduces the number of potential filter rules. A filter rule could be created just allowing incoming TCP packets with the ACK bit set, as these packets should have been originated from the local network. The caveat to watch for though is forged packets, a common attack vector nowadays. Stateful inspection is a good thing, but it should be used with smart filtering and application proxies as well.

    Hope my long-winded reply was helpful, I could have elaborated further but didn't want to put anyone to sleep. [:o)

    Mark

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)"

    Relevant Pages

    • Re: [fw-wiz] FW and TCP Sessions
      ... >if a FW is said to be a stateful firewall, ... >i haven't sent a TCP SYN to initiate a TCP Session ... >before sending this TCP packet? ...
      (Firewall-Wizards)
    • Re: [fw-wiz] FW and TCP Sessions
      ... > if a FW is said to be a stateful firewall, ... > i haven't sent a TCP SYN to initiate a TCP Session ... > before sending this TCP packet? ...
      (Firewall-Wizards)
    • [fw-wiz] FW and TCP Sessions
      ... if a FW is said to be a stateful firewall, ... i haven't sent a TCP SYN to initiate a TCP Session ... before sending this TCP packet? ...
      (Firewall-Wizards)