dbrannigan
asked on
Firewall Question
I have a quick question re: port issues on a Stateful Inspection firewall. Ie fw-1
(for simplistic reasons i am assuming no NAT!)
Ok i am on my companys LAN and want to connect to for eg www.bbc.com, I understand that I make a connection to their web server on TCP port 80. And their web server connects back to my machine on a random high end port.
My question is how do FW rules apply... to this.. ie let out traffic for port 80 and anything back in????????? (ie to connect to my machine on the high range port) therefore do the rules apply goingout/coming in? or does the firewall dynamically open the port coming back in?
Thanks
(for simplistic reasons i am assuming no NAT!)
Ok i am on my companys LAN and want to connect to for eg www.bbc.com, I understand that I make a connection to their web server on TCP port 80. And their web server connects back to my machine on a random high end port.
My question is how do FW rules apply... to this.. ie let out traffic for port 80 and anything back in????????? (ie to connect to my machine on the high range port) therefore do the rules apply goingout/coming in? or does the firewall dynamically open the port coming back in?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are wrong wrong wrong wrong!!! :)
Actually, I do think Cisco had some problems with that. They did create a new way to create this scenario that was supposed to be better, but I forget what its called (dynamic ACL?) or how to do it. It was much messier and had a lot more config lines is all I can remember. In my opinion if you are pretending that a router ACL is good enough for security, you're asking for a world of hurt anyway, so why care?
Actually, I do think Cisco had some problems with that. They did create a new way to create this scenario that was supposed to be better, but I forget what its called (dynamic ACL?) or how to do it. It was much messier and had a lot more config lines is all I can remember. In my opinion if you are pretending that a router ACL is good enough for security, you're asking for a world of hurt anyway, so why care?
ASKER
excellent as always scraig84! Cheers
Good luck.
Steve