Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

question about how does non-statful firewall receiving incomming communications

Posted on 2011-09-02
15
Medium Priority
?
501 Views
Last Modified: 2013-11-16
hi

i know that in statful firewall the comunication that initiated from inside are letting packet comming back from outside and allowing the packet to enter in HIGH port because is keep a state table of correct session.

my question is, how things work in non- statfull firewalls regarding incomming commiucation than trying to enter my network as RESPONSE to my requesion (meanning the same situation as i discribe in statful firewall, lets say i going to a web page and requeting data from the web server and the communication comming back to my router)

in statfull firewall i know that i dont need to open the hight port manually , however the destination port is in high port number, and the firewall let the packet to pass since he has a record that i started the connection.

but how things are working in non statfull firewall.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?

another question is, does most of the router / firewall today are statfull firewalls?

thanks
0
Comment
Question by:ymg800
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473202
Stateless Firewalls basically watch the traffic and compares the packets with the rules from its rules database.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?
Not quite. In an IOS ACL for example, you put in: permit tcp any host 1.2.3.4 established Thus allowing return traffic to pass through.

does most of the router / firewall today are statfull firewalls
Don't think so, these are the more professional (= expensive) ones. For example:  iptables from linux, default Windows (XP, vista, 7) firewalls are all stateless.
0
 

Author Comment

by:ymg800
ID: 36473291
so you saying that in  cisco (IOS is cisco os right?) u have one command that allow this and run this ones  

how about other firewalls , for exaple windows firewalle that u mention that is stateless, how does it except return trafic in tcp? i dont remmeber u have any definition of command that u need to do in order for it to work

thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473421
It's in Cisco IOS, that's correct.

It's not a command as such, but an option in an access list entry. Like:
access-list outside-in permit tcp any host 1.2.3.4 established

For windows, my guess is that it comes built in as an implicit rule.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 

Author Comment

by:ymg800
ID: 36473498
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

by the way, the communication comming back to a HIGHT port number in the destination IP right ?(which is my gateway and some hight number port?), for non statfull firewalle of courss ( or stateless :)  )
thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473611
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

Well I said I guess that's the case for windows. I normally keep away from that and disable it asap.
I'm curious how they exactly describe that in your study material then.

About the second, you're right. The communication source connects to a remote host using a well-known port like 80 from a high port (>1023) and the remote host connects back to that high port. You know, three way handshake and stuff.
0
 

Author Comment

by:ymg800
ID: 36473714
the it's a question, and i got the answer ok,

here is the question from the exsam:
 openning high-port ranges in a packet filltering firewall:

correct answer:
must be explicitly premitted for inbound traffic to allow tcp session

while there is another question for statfull firewall:

openning high port rang in statful firewall:

correct answer:

is not necessary to explicitly refer to high-port in this type of firewall

well, i dont remmeber seeing any firewalle that need to be explicitly  defined for high ports, but in the other hand, i didnt saw alot of firewalls :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 36473755
Ah, well that is what you do with:
access-list outside-in permit tcp any host 1.2.3.4 established
You explicitly permit return traffic (SYN-ACK) from an outgoing request.
Only you don't explicitly define what ports (because you don't need to).
0
 

Author Comment

by:ymg800
ID: 36473794
well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...

thanks alot for helping erniebeek!! ( the point will come shortlly of course : ) )
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473806
No problem, glad I could help you (in a certain way :)
0
 

Author Comment

by:ymg800
ID: 36473837
u help alot!! thanks!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501412
Hi ymg800.

Is there anything else you need to know?
0
 

Author Comment

by:ymg800
ID: 36521234
yes, please check my last post:

"well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...:"

the question is if u need to specifiy direcly to open high port of return TCP package in statless firewall,

erniebeek bring example regarding cisco, but what about other vendors?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 2000 total points
ID: 36521317
Ah, you're right.
Let's see if I can help you a bit more.

For example iptables, to allow extablished traffic:
https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions
This is from an ubuntu forum but the idea is the same for other flavors of linux.

Windows is using an application based firewall. So you define the application which is allowed through the firewall. windows has pre-configured sets of rules per application that defines which ports the application is using for incoming and outgoing traffic.
http://en.wikipedia.org/wiki/Windows_Firewall
http://en.wikipedia.org/wiki/Windows_Filtering_Platform
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question