Yale,
#Will a stateful inspection kind of firewall naturely block some protocols
or
#will the NAT features (One real internet ip and a C Class internal IP) of
#firewall confuse the state table of connections?
Devices that do NAT need to keep some sort of state table or static
table for NAT. If they don't then no return packets will make it back to
the original source. NAT should not confuse your firewall. If NAT is
being done on your firewall then your firewall will keep track of the
original IP addresses. If NAT is done before the traffic reaches the
firewall then the firewall only knows the NATed address. If NAT occures
after the firewall passes the traffic along then the firewall only knows
the original IP address and never sees the NATed address.
Firewalls, by their nature, block traffic. If it doesn't then it
isn't worth buying. A stateful inspection firewall will allow the traffic
through that it is configured to allow through. So if you allow all TCP
traffic on port 514 though the firewall then all TCP traffic on port 514 is
allowed through. If you have a means of detecting which protocol is using
TCP or UDP as a transport (generally called an application layer proxy)
then that proxy will allow through the protocol is is designed to allow
through such as http and ,hopefully, deny all traffic that is not http.
Most statefull inspection firewalls probably have application layer proxies
(of a sort) for http and maybe some of the other big protocols.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
