Solved

Firewall Stateful inspection questions

Posted on 2014-10-23
4
172 Views
Last Modified: 2014-11-09
I am a system administration and would like to know some concept about Firewall Stateful inspection. We will create a firewall rule e.g.

Source IP      port              Destination IP     Port
1.2.3.4           any                5..6.7.8                 1433     (e.g. for SQL server)

1) When I submit the following firewall rule to our network department, do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) assuming that a stateful firewall is between the two hosts ?

2) Another question is that if we submit the firewall rule update as below related to ICMP and UDP do I need to submit any rule for the packet to coming back to the source ip (i.e. 1.2.3.4) still assuming stateful firewall is between the two hosts as I know ICMP and UDP are stateless protocol ?

Source IP      port              Destination IP     Protocol
1.2.3.4           any                5..6.7.8                     ICMP or UDP

Thank you so much for your technical view in advance.

Patrick
0
Comment
Question by:patricktam
4 Comments
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Normally, a stateful firewall should automatically allow returning packets. That's the main "win" over a regular stateless packet inspection.

As for ICMP and UDP, as the connections aren't stateful as such, some firewalls might not permit returning packets (though this ought to be rare nowadays). Just try it ... Anyway, as for ICMP, please remember that you want to at least permit incoming control packages (like "needs fragmentation") to avoid problems with other types of transfer.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
No you don't. That is the stateful part, the connection state becomes open with a session, and then stays open for those two hosts for that session. After the firewall checks it's rules, and the traffic is allowed, there is session data in the connection that it keeps track of. Traffic will return the same path it was started from. If the host you created a connection to, tried to create a different connection to you, it would(should) fail. Number one it will probably be against the firewall access list, and second to that, it won't have the same session information the firewall knows it can allow. Connections from inside the firewall, are typically allowed out the firewall, but connections INITIATED from outside are typically blocked. It's the initiation that makes the most difference.
http://en.wikipedia.org/wiki/Stateful_firewall
-rich
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 500 total points
Comment Utility
I'd suggest adding tcp to your port request as some requests will be for udp.
0
 

Author Closing Comment

by:patricktam
Comment Utility
Thank you all of you for the great advice.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now