Chris Keladis wrote:
>
> "By default, FW-1 does not statefully inspect ICMP traffic."
I did say that some firewalls just pass ICMP errors without
inspection. I guess I should have restructed my message
to make that statement include any ICMP.
> "UDP connections are simplier to maintain, as they are stateless."
> [snip: creating states for UDP]
> So i guess it all comes back to your definition of "statefull" :-)
This sounds stateful to me?
(Or if you are refering to ICMP and FW-1: No, they're not being
stateful as far as ICMP is concerned.)
> Which firewalls match up the errors to existing states? Thats one thing i
> haven't seen yet.
[Ack. Disclaimer time: I work for EnterNet Sweden, a firewall vendor.]
Ours does. But we don't let them through yet, because we need to
design a good algorithm to protect against things like firewalking.
(We don't like implementing features without thinking them through
thorougly, just because other firewalls have those features. This is why
we don't have an FTP ALG, which turned out to be A Good Thing(tm).)
All it does currently is match the ICMP errors up with existing
states for the sake of logging. Legal ICMP errors belonging to
live connections can be dropped without logging (optional).
Others can be dropped _and_ logged.
> Anyway, anyone configuring Firewalls for production use, should have a
> working knowledge of ICMP error messages, and how to safely control them
> with their firewall product.
I definately agree. "should". Too bad most people don't.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
