Re: [FW1] Rule Base

[CryptoTech]

The few exceptions to this are ICMP and IPSec connections which are not currently stateful. Amin Tora wrote: >Is it necessary within the rule base to provide for a connection going both ways?>In other words if i need http access for the entire network is it required to do thefollowing two rules:>>Rule X:    Network     Any         Http    Accept>Rule Y:   Any           Network    Http   Accept>>Wouldn't just having the first one allow Http to work both ways  requests going out and requested data and acks coming in?>Yes, the first rule should allow response packets to come back in and you don't need to implement Rule Y.  Rule Y would allow ANYONE to initiate HTTP connections to ALL systems on your network. (Bad idea)Stateful inspection is setup to keep track of connections and allow responses to established UDP and TCP connections to come back in. TCP sessions time out based on what you have set in your Policy Properties' Security tab (TCP Session Timeout - defaults to 3600sec).  Also, you may allow UDP responses for UDP connections (UDP virtual session timeouts - defaults to 40sec).Amin Tora, CISSP ePlus Technology http://www.eplus.com NASDAQ: PLUS -----Original Message----- From: Ryan Realivasquez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 20, 2001 9:19 PM To: [EMAIL PROTECTED] Subject: [FW1] Rule Base   Is it necessary within the rule base to provide for a connection going both ways?  In other words if i need http access for the entire network is it required to do the following two rules: Rule X:    Network     Any         Http    AcceptRule Y:   Any           Network    Http   Accept Wouldn't just having the first one allow Http to work both ways  requests going out and requested data and acks coming in?  Thanks, Ryan Realivasquez