question about how does non-statful firewall receiving incomming communications

hi

i know that in statful firewall the comunication that initiated from inside are letting packet comming back from outside and allowing the packet to enter in HIGH port because is keep a state table of correct session.

my question is, how things work in non- statfull firewalls regarding incomming commiucation than trying to enter my network as RESPONSE to my requesion (meanning the same situation as i discribe in statful firewall, lets say i going to a web page and requeting data from the web server and the communication comming back to my router)

in statfull firewall i know that i dont need to open the hight port manually , however the destination port is in high port number, and the firewall let the packet to pass since he has a record that i started the connection.

but how things are working in non statfull firewall.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?

another question is, does most of the router / firewall today are statfull firewalls?

thanks
ymg800Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Ernie BeekConnect With a Mentor ExpertCommented:
Ah, well that is what you do with:
access-list outside-in permit tcp any host 1.2.3.4 established
You explicitly permit return traffic (SYN-ACK) from an outgoing request.
Only you don't explicitly define what ports (because you don't need to).
0
 
Ernie BeekExpertCommented:
Stateless Firewalls basically watch the traffic and compares the packets with the rules from its rules database.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?
Not quite. In an IOS ACL for example, you put in: permit tcp any host 1.2.3.4 established Thus allowing return traffic to pass through.

does most of the router / firewall today are statfull firewalls
Don't think so, these are the more professional (= expensive) ones. For example:  iptables from linux, default Windows (XP, vista, 7) firewalls are all stateless.
0
 
ymg800Author Commented:
so you saying that in  cisco (IOS is cisco os right?) u have one command that allow this and run this ones  

how about other firewalls , for exaple windows firewalle that u mention that is stateless, how does it except return trafic in tcp? i dont remmeber u have any definition of command that u need to do in order for it to work

thx
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Ernie BeekExpertCommented:
It's in Cisco IOS, that's correct.

It's not a command as such, but an option in an access list entry. Like:
access-list outside-in permit tcp any host 1.2.3.4 established

For windows, my guess is that it comes built in as an implicit rule.
0
 
ymg800Author Commented:
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

by the way, the communication comming back to a HIGHT port number in the destination IP right ?(which is my gateway and some hight number port?), for non statfull firewalle of courss ( or stateless :)  )
thx
0
 
Ernie BeekExpertCommented:
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

Well I said I guess that's the case for windows. I normally keep away from that and disable it asap.
I'm curious how they exactly describe that in your study material then.

About the second, you're right. The communication source connects to a remote host using a well-known port like 80 from a high port (>1023) and the remote host connects back to that high port. You know, three way handshake and stuff.
0
 
ymg800Author Commented:
the it's a question, and i got the answer ok,

here is the question from the exsam:
 openning high-port ranges in a packet filltering firewall:

correct answer:
must be explicitly premitted for inbound traffic to allow tcp session

while there is another question for statfull firewall:

openning high port rang in statful firewall:

correct answer:

is not necessary to explicitly refer to high-port in this type of firewall

well, i dont remmeber seeing any firewalle that need to be explicitly  defined for high ports, but in the other hand, i didnt saw alot of firewalls :)
0
 
ymg800Author Commented:
well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...

thanks alot for helping erniebeek!! ( the point will come shortlly of course : ) )
0
 
Ernie BeekExpertCommented:
No problem, glad I could help you (in a certain way :)
0
 
ymg800Author Commented:
u help alot!! thanks!!
0
 
Ernie BeekExpertCommented:
Hi ymg800.

Is there anything else you need to know?
0
 
ymg800Author Commented:
yes, please check my last post:

"well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...:"

the question is if u need to specifiy direcly to open high port of return TCP package in statless firewall,

erniebeek bring example regarding cisco, but what about other vendors?
0
 
Ernie BeekConnect With a Mentor ExpertCommented:
Ah, you're right.
Let's see if I can help you a bit more.

For example iptables, to allow extablished traffic:
https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions
This is from an ubuntu forum but the idea is the same for other flavors of linux.

Windows is using an application based firewall. So you define the application which is allowed through the firewall. windows has pre-configured sets of rules per application that defines which ports the application is using for incoming and outgoing traffic.
http://en.wikipedia.org/wiki/Windows_Firewall
http://en.wikipedia.org/wiki/Windows_Filtering_Platform
0
All Courses

From novice to tech pro — start learning today.