Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewalls that generate new packets..

From: jason () tacorp com
Date: Tue, 27 Nov 2007 22:39:04 -0500 (EST)


in both directions.  State tables allow your firewall to have a deny-all
default inbound policy and an allow-all default outbound policy.  They allow


With today's proliferation of Trojans and Spyware, anyone with a
Windows user population above three who has an allow-all default outbound
policy is an idiot and populations of one to three are likely candidates
for the club if not associate members.



I see both points but perhaps a different example show where tracking 
state may be beneficial.  If I have a number of servers in a DMZ that are 
accessible both from the internet and inside my network I can reduce the 
administrative overhead by tracking state.  If I opened up port 80 into a 
web server and the state was tracked the reply packet would be able to 
pass back out of the firewall without having to have a rule allowing 
packets from the webserver sourced from port 80 out.  Why should I need to 
put two rules in (one for the incoming traffic, and one for the reply) 
when I can rely on the state of the packet for the reply?

-Jason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: