Solved

Firewall Stateful inspection questions

Posted on 2014-10-23
4
184 Views
Last Modified: 2014-11-09
I am a system administration and would like to know some concept about Firewall Stateful inspection. We will create a firewall rule e.g.

Source IP      port              Destination IP     Port
1.2.3.4           any                5..6.7.8                 1433     (e.g. for SQL server)

1) When I submit the following firewall rule to our network department, do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) assuming that a stateful firewall is between the two hosts ?

2) Another question is that if we submit the firewall rule update as below related to ICMP and UDP do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) still assuming stateful firewall is between the two hosts as I know ICMP and UDP are stateless protocol ?

Source IP      port              Destination IP     Protocol
1.2.3.4           any                5..6.7.8                     ICMP or UDP

Thank you so much for your technical view in advance.

Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 40401951
Normally, a stateful firewall should automatically allow returning packets. That's the main "win" over a regular stateless packet inspection.

As for ICMP and UDP, as the connections aren't stateful as such, some firewalls might not permit returning packets (though this ought to be rare nowadays). Just try it ... Anyway, as for ICMP, please remember that you want to at least permit incoming control packages (like "needs fragmentation") to avoid problems with other types of transfer.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40401956
No you don't. That is the stateful part, the connection state becomes open with a session, and then stays open for those two hosts for that session. After the firewall checks it's rules, and the traffic is allowed, there is session data in the connection that it keeps track of. Traffic will return the same path it was started from. If the host you created a connection to, tried to create a different connection to you, it would(should) fail. Number one it will probably be against the firewall access list, and second to that, it won't have the same session information the firewall knows it can allow. Connections from inside the firewall, are typically allowed out the firewall, but connections INITIATED from outside are typically blocked. It's the initiation that makes the most difference.
http://en.wikipedia.org/wiki/Stateful_firewall
-rich
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40402086
I'd suggest adding tcp to your port request as some requests will be for udp.
0
 

Author Closing Comment

by:patricktam
ID: 40431100
Thank you all of you for the great advice.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Make the most of your online learning experience.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question