Firewall Wizards mailing list archives

FW-1 "allow outbound"

From: "Cannella, Michael (ISS Southfield)" <mcannell () iss net>
Date: Tue, 18 Jan 2000 10:58:10 -0500



From: TC Wolsey [mailto:twolsey () realtech com] Monday, January 17, 2000 12:12
PM

A question for the list while I am on the subject of FW-1. Does anybody

know why the

'Allow outbound connections' property has to be set on FW-1/NT for the fw

to pass any

traffic? In my experience this property has the advertised effect on the

Solaris

platform but will stop all traffic dead in the water if not enabled on the

NT platform.

With no logging, ICMP or TCP notification - just a gaping black hole) Does

the fw module

handle all IP forwarding through itself (which allows the control of

forwarding) and

forwarded packets are seen by the fw module as sourced by the local

machine? That is the

only behavior that I can think of that makes sense in light of what my

experience with

FW-1 has been.



I have seen the same behavior difference between Solaris and NT, but only
with http.  With telnet, for example, both seem to behave the same way.  And
I have no explanation for why that occurs, although, for once, it's NT that
exhibits the safer behavior.


The issue at hand, though, is interface direction.  If the interface
direction is set to "inbound," packets are inspected against the policy
properties _and_ the rulebase on their way in to the firewall.  On the way
out from the firewall, they are inspected against the policy properties
only--if there is no rule to pass them in the policy properties, they hit
the _implicit_ clean-up rule, which drops everything, and doesn't log.

"Allow outbound" adds an implicit rule that allows all traffic out from the
firewall.  Being a policy property, it's enforced on both inbound and
outbound interfaces, and not logged.  

If interface direction is set to "eitherbound," all rules are enforced at
both interfaces, so your accept rules take care of it for themselves.  



This problem is quite apropos your comment about the (ahem) "limitations" of
the Checkpoint docs, which are somewhat misleading:

- the policy property help expressly indicates that the "allow outgoing"
checkbox does not apply to traffic from the internal network.

- the help for "outgoing connections" says--a bit more accurately--that
traffic will only be allowed out from the firewall if either

    *  "allow outgoing" is checked
or
    *  interface direction is set to "eitherbound," and there is a rule that
allows the
       traffic out.


Anyone have any insight into the OS difference?



-----michael cannella  mailto:mcannella () iss net
-----Internet Security Systems, eServices
-----http://www.iss.net/

Current thread:

FW-1 "allow outbound" Cannella, Michael (ISS Southfield) (Jan 18)
- <Possible follow-ups>
- Re: FW-1 "allow outbound" dwelch (Jan 28)