Link to home
Start Free TrialLog in
Avatar of dbrannigan
dbrannigan

asked on

Firewall Question

I have a quick question re: port issues on a Stateful Inspection firewall. Ie fw-1

(for simplistic reasons i am assuming no NAT!)
Ok i am on my companys LAN and want to connect to for eg www.bbc.com, I understand that I make a connection to their web server on TCP port 80. And their web server connects back to my machine on a random high end port.

My question is how do FW rules apply... to this.. ie let out traffic for port 80 and anything back in????????? (ie to connect to my machine on the high range port) therefore do the rules apply goingout/coming in? or does the firewall dynamically open the port coming back in?

Thanks
ASKER CERTIFIED SOLUTION
Avatar of scraig84
scraig84

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Steve Jennings
Steve Jennings

What scraig84 is correct. I would add that some "stateful" inspection engines will incorrectly allow a packet through just because an ACK bit is set on the assumption that it is a response packet. I believe this was a problem with the "established" keyword in Cisco ACLs. I could be wrong. I'm CERTAIN someone will correct me.

Good luck.
Steve
You are wrong wrong wrong wrong!!! :)

Actually, I do think Cisco had some problems with that.  They did create a new way to create this scenario that was supposed to be better, but I forget what its called (dynamic ACL?) or how to do it.  It was much messier and had a lot more config lines is all I can remember.  In my opinion if you are pretending that a router ACL is good enough for security, you're asking for a world of hurt anyway, so why care?
Avatar of dbrannigan

ASKER

excellent as always scraig84! Cheers