Solved

question about how does non-statful firewall receiving incomming communications

Posted on 2011-09-02
15
499 Views
Last Modified: 2013-11-16
hi

i know that in statful firewall the comunication that initiated from inside are letting packet comming back from outside and allowing the packet to enter in HIGH port because is keep a state table of correct session.

my question is, how things work in non- statfull firewalls regarding incomming commiucation than trying to enter my network as RESPONSE to my requesion (meanning the same situation as i discribe in statful firewall, lets say i going to a web page and requeting data from the web server and the communication comming back to my router)

in statfull firewall i know that i dont need to open the hight port manually , however the destination port is in high port number, and the firewall let the packet to pass since he has a record that i started the connection.

but how things are working in non statfull firewall.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?

another question is, does most of the router / firewall today are statfull firewalls?

thanks
0
Comment
Question by:ymg800
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473202
Stateless Firewalls basically watch the traffic and compares the packets with the rules from its rules database.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?
Not quite. In an IOS ACL for example, you put in: permit tcp any host 1.2.3.4 established Thus allowing return traffic to pass through.

does most of the router / firewall today are statfull firewalls
Don't think so, these are the more professional (= expensive) ones. For example:  iptables from linux, default Windows (XP, vista, 7) firewalls are all stateless.
0
 

Author Comment

by:ymg800
ID: 36473291
so you saying that in  cisco (IOS is cisco os right?) u have one command that allow this and run this ones  

how about other firewalls , for exaple windows firewalle that u mention that is stateless, how does it except return trafic in tcp? i dont remmeber u have any definition of command that u need to do in order for it to work

thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473421
It's in Cisco IOS, that's correct.

It's not a command as such, but an option in an access list entry. Like:
access-list outside-in permit tcp any host 1.2.3.4 established

For windows, my guess is that it comes built in as an implicit rule.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:ymg800
ID: 36473498
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

by the way, the communication comming back to a HIGHT port number in the destination IP right ?(which is my gateway and some hight number port?), for non statfull firewalle of courss ( or stateless :)  )
thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473611
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

Well I said I guess that's the case for windows. I normally keep away from that and disable it asap.
I'm curious how they exactly describe that in your study material then.

About the second, you're right. The communication source connects to a remote host using a well-known port like 80 from a high port (>1023) and the remote host connects back to that high port. You know, three way handshake and stuff.
0
 

Author Comment

by:ymg800
ID: 36473714
the it's a question, and i got the answer ok,

here is the question from the exsam:
 openning high-port ranges in a packet filltering firewall:

correct answer:
must be explicitly premitted for inbound traffic to allow tcp session

while there is another question for statfull firewall:

openning high port rang in statful firewall:

correct answer:

is not necessary to explicitly refer to high-port in this type of firewall

well, i dont remmeber seeing any firewalle that need to be explicitly  defined for high ports, but in the other hand, i didnt saw alot of firewalls :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36473755
Ah, well that is what you do with:
access-list outside-in permit tcp any host 1.2.3.4 established
You explicitly permit return traffic (SYN-ACK) from an outgoing request.
Only you don't explicitly define what ports (because you don't need to).
0
 

Author Comment

by:ymg800
ID: 36473794
well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...

thanks alot for helping erniebeek!! ( the point will come shortlly of course : ) )
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473806
No problem, glad I could help you (in a certain way :)
0
 

Author Comment

by:ymg800
ID: 36473837
u help alot!! thanks!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501412
Hi ymg800.

Is there anything else you need to know?
0
 

Author Comment

by:ymg800
ID: 36521234
yes, please check my last post:

"well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...:"

the question is if u need to specifiy direcly to open high port of return TCP package in statless firewall,

erniebeek bring example regarding cisco, but what about other vendors?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 36521317
Ah, you're right.
Let's see if I can help you a bit more.

For example iptables, to allow extablished traffic:
https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions
This is from an ubuntu forum but the idea is the same for other flavors of linux.

Windows is using an application based firewall. So you define the application which is allowed through the firewall. windows has pre-configured sets of rules per application that defines which ports the application is using for incoming and outgoing traffic.
http://en.wikipedia.org/wiki/Windows_Firewall
http://en.wikipedia.org/wiki/Windows_Filtering_Platform
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question