Solved

question about how does non-statful firewall receiving incomming communications

Posted on 2011-09-02
15
496 Views
Last Modified: 2013-11-16
hi

i know that in statful firewall the comunication that initiated from inside are letting packet comming back from outside and allowing the packet to enter in HIGH port because is keep a state table of correct session.

my question is, how things work in non- statfull firewalls regarding incomming commiucation than trying to enter my network as RESPONSE to my requesion (meanning the same situation as i discribe in statful firewall, lets say i going to a web page and requeting data from the web server and the communication comming back to my router)

in statfull firewall i know that i dont need to open the hight port manually , however the destination port is in high port number, and the firewall let the packet to pass since he has a record that i started the connection.

but how things are working in non statfull firewall.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?

another question is, does most of the router / firewall today are statfull firewalls?

thanks
0
Comment
Question by:ymg800
  • 7
  • 6
15 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473202
Stateless Firewalls basically watch the traffic and compares the packets with the rules from its rules database.

does the packet that comes as a reply to my requestion also have high port number in the destination? do i need to open the high port manually?
Not quite. In an IOS ACL for example, you put in: permit tcp any host 1.2.3.4 established Thus allowing return traffic to pass through.

does most of the router / firewall today are statfull firewalls
Don't think so, these are the more professional (= expensive) ones. For example:  iptables from linux, default Windows (XP, vista, 7) firewalls are all stateless.
0
 

Author Comment

by:ymg800
ID: 36473291
so you saying that in  cisco (IOS is cisco os right?) u have one command that allow this and run this ones  

how about other firewalls , for exaple windows firewalle that u mention that is stateless, how does it except return trafic in tcp? i dont remmeber u have any definition of command that u need to do in order for it to work

thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473421
It's in Cisco IOS, that's correct.

It's not a command as such, but an option in an access list entry. Like:
access-list outside-in permit tcp any host 1.2.3.4 established

For windows, my guess is that it comes built in as an implicit rule.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:ymg800
ID: 36473498
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

by the way, the communication comming back to a HIGHT port number in the destination IP right ?(which is my gateway and some hight number port?), for non statfull firewalle of courss ( or stateless :)  )
thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473611
ok, so u say that in some firewalle this option already turn on by default, this makes me wonder why in my cissp studies they say that u need to specify Explicitly  to open the high port.

Well I said I guess that's the case for windows. I normally keep away from that and disable it asap.
I'm curious how they exactly describe that in your study material then.

About the second, you're right. The communication source connects to a remote host using a well-known port like 80 from a high port (>1023) and the remote host connects back to that high port. You know, three way handshake and stuff.
0
 

Author Comment

by:ymg800
ID: 36473714
the it's a question, and i got the answer ok,

here is the question from the exsam:
 openning high-port ranges in a packet filltering firewall:

correct answer:
must be explicitly premitted for inbound traffic to allow tcp session

while there is another question for statfull firewall:

openning high port rang in statful firewall:

correct answer:

is not necessary to explicitly refer to high-port in this type of firewall

well, i dont remmeber seeing any firewalle that need to be explicitly  defined for high ports, but in the other hand, i didnt saw alot of firewalls :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36473755
Ah, well that is what you do with:
access-list outside-in permit tcp any host 1.2.3.4 established
You explicitly permit return traffic (SYN-ACK) from an outgoing request.
Only you don't explicitly define what ports (because you don't need to).
0
 

Author Comment

by:ymg800
ID: 36473794
well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...

thanks alot for helping erniebeek!! ( the point will come shortlly of course : ) )
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36473806
No problem, glad I could help you (in a certain way :)
0
 

Author Comment

by:ymg800
ID: 36473837
u help alot!! thanks!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501412
Hi ymg800.

Is there anything else you need to know?
0
 

Author Comment

by:ymg800
ID: 36521234
yes, please check my last post:

"well that is true for ciso, guess other vendor have simillar thing or someting...
but since nobody gives any input for other products (seems like u are the only one answring...)

i will close this question if no furture input about other vendors and the stateless firewalles...:"

the question is if u need to specifiy direcly to open high port of return TCP package in statless firewall,

erniebeek bring example regarding cisco, but what about other vendors?
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 36521317
Ah, you're right.
Let's see if I can help you a bit more.

For example iptables, to allow extablished traffic:
https://help.ubuntu.com/community/IptablesHowTo#Allowing_Established_Sessions
This is from an ubuntu forum but the idea is the same for other flavors of linux.

Windows is using an application based firewall. So you define the application which is allowed through the firewall. windows has pre-configured sets of rules per application that defines which ports the application is using for incoming and outgoing traffic.
http://en.wikipedia.org/wiki/Windows_Firewall
http://en.wikipedia.org/wiki/Windows_Filtering_Platform
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question