Hey Folks,
I am relatively new to firewall-1 - (I've used it since version 4.0).
My quesitons revolves around Lance's paper on stateful inspection and some
information I read in the fw-1 reference documents about TCP connections.
It is my understanding from the fw-1 docs that:
1. SYN packets are checked against the rulebase. If permitted they are
added to the state table and remain for some defined timeout period.
2. If you run fwstop and fwstart the connection table gets cleared OR if
the connection times out the connection info. is removed from the state
table .
3. In order to keep from dropping sessions the firewall will accept ACK
packets mangle the sequence number and strip out all data above OSI layer
4. AND then send the packet to the destination host (internal usually).
4. The host will respond if it is part of an established connection and
then the firewall will check that response against the rulebase.
Q: Does the firewall actually strip the data above layer 4??? Anybody
verify this (Otherwise, I will have too do this)?
Q: This appears to be somewhat different than the paper. Any thoughts?
TIA
Tony Miedaner
Network Security Engineer
Network Engineering Unit
Appliedtheory Inc.
315-453-2912 x5361
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
