?
Solved

Firewall Stateful inspection questions

Posted on 2014-10-23
4
Medium Priority
?
189 Views
Last Modified: 2014-11-09
I am a system administration and would like to know some concept about Firewall Stateful inspection. We will create a firewall rule e.g.

Source IP      port              Destination IP     Port
1.2.3.4           any                5..6.7.8                 1433     (e.g. for SQL server)

1) When I submit the following firewall rule to our network department, do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) assuming that a stateful firewall is between the two hosts ?

2) Another question is that if we submit the firewall rule update as below related to ICMP and UDP do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) still assuming stateful firewall is between the two hosts as I know ICMP and UDP are stateless protocol ?

Source IP      port              Destination IP     Protocol
1.2.3.4           any                5..6.7.8                     ICMP or UDP

Thank you so much for your technical view in advance.

Patrick
0
Comment
Question by:patricktam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 40401951
Normally, a stateful firewall should automatically allow returning packets. That's the main "win" over a regular stateless packet inspection.

As for ICMP and UDP, as the connections aren't stateful as such, some firewalls might not permit returning packets (though this ought to be rare nowadays). Just try it ... Anyway, as for ICMP, please remember that you want to at least permit incoming control packages (like "needs fragmentation") to avoid problems with other types of transfer.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40401956
No you don't. That is the stateful part, the connection state becomes open with a session, and then stays open for those two hosts for that session. After the firewall checks it's rules, and the traffic is allowed, there is session data in the connection that it keeps track of. Traffic will return the same path it was started from. If the host you created a connection to, tried to create a different connection to you, it would(should) fail. Number one it will probably be against the firewall access list, and second to that, it won't have the same session information the firewall knows it can allow. Connections from inside the firewall, are typically allowed out the firewall, but connections INITIATED from outside are typically blocked. It's the initiation that makes the most difference.
http://en.wikipedia.org/wiki/Stateful_firewall
-rich
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 2000 total points
ID: 40402086
I'd suggest adding tcp to your port request as some requests will be for udp.
0
 

Author Closing Comment

by:patricktam
ID: 40431100
Thank you all of you for the great advice.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question