Well...
I read the Lance Spitzer article on his website about the State table
which is used in Checkpoint packages.
I must say I was pretty shocked about the statefull inspection procedure
that checkpoint handles before SP2 (maybe you have to read it to know
what I am talking about). Although CP doesn't use state with icmp packages
it does it on UDP and TCP connections.
I think CP can learn something of IPF about the statefull inspection part...
but from SP2 they finally improved a great way. So I would suggest to
all people that haven't done it, upgrade to SP2 (or the new SP3 while your
at it).
Greets,
Brenno
> -----Original Message-----
> From: Chris Keladis [SMTP:[EMAIL PROTECTED]]
> Sent: woensdag 2 mei 2001 1:58
> To: Hiemstra, Brenno
> Cc: 'Eliyah Lovkoff'; [EMAIL PROTECTED]
> Subject: Re: Secure DNS setup
>
> "Hiemstra, Brenno" wrote:
>
>
> > Because Checkpoint uses "statefull inspection" (only from sp2 true
> statefull
> > inspection) the traffic should be allowed to come in too (because the
> > connection is the firewall it's state table)
>
> Someone can correct me if i'm wrong, but doesn't FW-1 simply keep in it's
> state
> table the outgoing (UDP) connection tuplet, and open a window to allow the
> reverse-tuplet back in, the time factor specified in the properties of the
> firewall ruleset?
>
> I think i read somewere in PIXs literature that for DNS it does a nifty
> thing
> with it's "state" whereby it does a similar thing to FW-1, but only allows
> the
> first correct connection tuplet back in, other replies, even if they are
> in the
> correct time window get dropped..
>
> (Forgive me if Checkpoint are now doing this.. I havent been following
> their
> SPs)
>
>
>
>
> Regards,
>
> Chris.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
