patricktam
asked on
Firewall Stateful inspection questions
I am a system administration and would like to know some concept about Firewall Stateful inspection. We will create a firewall rule e.g.
Source IP port Destination IP Port
1.2.3.4 any 5..6.7.8 1433 (e.g. for SQL server)
1) When I submit the following firewall rule to our network department, do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) assuming that a stateful firewall is between the two hosts ?
2) Another question is that if we submit the firewall rule update as below related to ICMP and UDP do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) still assuming stateful firewall is between the two hosts as I know ICMP and UDP are stateless protocol ?
Source IP port Destination IP Protocol
1.2.3.4 any 5..6.7.8 ICMP or UDP
Thank you so much for your technical view in advance.
Patrick
Source IP port Destination IP Port
1.2.3.4 any 5..6.7.8 1433 (e.g. for SQL server)
1) When I submit the following firewall rule to our network department, do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) assuming that a stateful firewall is between the two hosts ?
2) Another question is that if we submit the firewall rule update as below related to ICMP and UDP do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) still assuming stateful firewall is between the two hosts as I know ICMP and UDP are stateless protocol ?
Source IP port Destination IP Protocol
1.2.3.4 any 5..6.7.8 ICMP or UDP
Thank you so much for your technical view in advance.
Patrick
No you don't. That is the stateful part, the connection state becomes open with a session, and then stays open for those two hosts for that session. After the firewall checks it's rules, and the traffic is allowed, there is session data in the connection that it keeps track of. Traffic will return the same path it was started from. If the host you created a connection to, tried to create a different connection to you, it would(should) fail. Number one it will probably be against the firewall access list, and second to that, it won't have the same session information the firewall knows it can allow. Connections from inside the firewall, are typically allowed out the firewall, but connections INITIATED from outside are typically blocked. It's the initiation that makes the most difference.
http://en.wikipedia.org/wiki/Stateful_firewall
-rich
http://en.wikipedia.org/wiki/Stateful_firewall
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all of you for the great advice.
As for ICMP and UDP, as the connections aren't stateful as such, some firewalls might not permit returning packets (though this ought to be rare nowadays). Just try it ... Anyway, as for ICMP, please remember that you want to at least permit incoming control packages (like "needs fragmentation") to avoid problems with other types of transfer.