At 08:48 AM 6/7/00 +0200, Mikael Olsson wrote:
>Just to back Ben up: Yes, it is definately possible to be "stateful" even
>where UDP and ICMP is concerned. And yes, it's being done by most SPFs.
>(I don't know of anyone that doesn't but I don't know how all firewalls
>work :-) For UDP, you more or less just create a pipe between the two
>endports in the conversation and apply an idle timeout, and for ICMP
>you can even verify that ICMP ECHOs are always answered by
>ICMP ECHO_REPLYs.
To quote Lance Spitzners paper about the FW-1 state table
(http://www.enteract.com/~lspitz/fwtable.html)..
"By default, FW-1 does not statefully inspect ICMP traffic."
"UDP connections are simplier to maintain, as they are stateless. When a
UDP packet is allowed through the firewall (based on the rulebase) a entry
is added to the connections table. Any UDP packet can return within the
timeout period (default 40 seconds) as long as both the SRC/DST IP
addresses and SRC/DST ports match."
So i guess it all comes back to your definition of "statefull" :-)
>ICMP errors are another story entirely. Some firewalls drop them all.
>Some let all through. A few attempt to match up the errors to existing
>states before letting them through.
Which firewalls match up the errors to existing states? Thats one thing i
haven't seen yet.
Anyway, anyone configuring Firewalls for production use, should have a
working knowledge of ICMP error messages, and how to safely control them
with their firewall product.
Regards,
Chris Keladis
System/Security Administrator
Custom Management Centre
Cable & Wireless Optus.
Phone: (02) 9775-5312
Mobile: (0402) 067-375
E-Mail: [EMAIL PROTECTED]
The message sender is using FREE InvisiMail Lite Un-Registered
and is able to send and receive email messages more safely.
For Information on email Encryption, Anti-Virus and Spam filtering
Visit http://www.invisimail.com for more details.
______________________________________________________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
