Private fw for the non tweeker?

INBOUND REPLIES ARE NOT INBOUND INITIALIZATION REQUESTS OR INITIALIZED INBOUND CONNECTIONS.

Inspection of the rule base is not required. The INITIALIZED OUTBOUND CONNECTION has already been validated by
the Access Control List, Established, and the Connections Table updated. The REPLY will be looked up in the
Connections Table, and then passed on through to the Client.



The client generates an Synchronization (SYN) Packet, outbound to the Server to establish an NEW connection.
An (outbound TCP TRAFFIC data stream) in an INITIALIZED OUTBOUND CONNECTION.

The Access Control List (ACL) is referenced to determine if the information flow control policy should permit
the NEW connection outbound.

Assuming the NEW connection is valid in the Access Control List, and permitted outbound, the Connections Table is
then updated. The Connections Table is always updated as necessary.

The outbound TCP TRAFFIC data stream is processed and sent on to the Server.

When the Server REPLIES on the reverse path back to the Client, through the Clients INITIALIZED OUTBOUND CONNECTION,
(the inbound TCP TRAFFIC data stream), the Server is responding with its Synchronization/Acknowledgment (SYN/ACK).

<-----THEREFORE, HOWEVER, AND PLEASE NOTE!----->

SINCE THE REPLY IS NOT AN INITIALIZED INBOUND CONNECTION OR AN INBOUND INITIALIZATION REQUEST,

Inspection of the rule base is not necessary or required, the connection has already been validated OUTBOUND,
Established, and the Connections Table has been updated.

When the Client recieves the REPLY packet from the Server, the packet is looked up in the Connections Table,
and then passed on through to the Client.



All that SYN and SYN/ACT work is so both sides will agree on an Initial Sequence Number (ISN) for each side of
their communication. Unfortunately, many Servers use an easily guessed Initial Sequence Number generation function.

Some firewalls use Transmission Control Protocol (TCP) sequence number randomization. As the packets pass through
the firewall, they are rewritten so that the Initial Sequence Number(s) cannot be predicted.


EDIT: grammer


HKEY1952

 

Are the default settings not optimal/secure? Perhaps, Stem could provide his input on this.

Hi Stem,

Since we are on a PFW thread, I thought maybe I could ask you to look at the default settings of PFW for 'System Services' and 'System' (see attachments). Thanks.

 

Hello HKEY1952,

I see from your last post you still do not want to answer my simple question. OK.
------------------------

The info you are now putting forward (and have in some previous posts) appears to be about a stateful firewall implementation within a gateway or business class router rather than an Home users firewall.

The implementation you put forward, well, you will not find that in the windows firewalls that are frequently mentioned on this forum.
The closest you would get would be either 8-signs or Norton.

8-signs does perform sequence number randomization, or, as 8-signs describes it, "Sequence Number Hardening" (have not checked)

Norton does check sequence numbers, but only for the initial 3 way handshake. It does not check sequence numbers for the streams or termination of connection.(I checked)

You can look at any of the other firewalls/packet filtering firewalls mentioned on this forum and they do not have the implementation you describe. (I have checked.)

I would be interested to know which windows firewall you are using that you believe has the stateful TCP implementation that you describe.


- Stem

 

Hello datarishik,

It depends on your setup/needs.

Most of these firewalls by default simply allow all traffic for all applications that are either signed or on white lists. It is usually done to save them time with support issues.

Are you behind a router? or on an ISP LAN?

I will be trying to find time tomorrow (or it may be weekend), to have a look at the default rules for PFW and how it handles packet filtering.

- Stem

 

Nice to see you bellgamin,

Always good advice.

Regards,

- Stem

 

Thanks a lot, Stem; really appreciate it. I'm not really concerned about configuring the firewall to its maximum potential (I'm behind a router) as much as curious about what the potential holes could be as Rilla pointed out. If there are really any holes, we could do some tweaking in order to ensure that it's intrusion proof. As I said before, I don't really know how to establish rules for protocols, - would really love to do it if I knew - but have learned quite a few points from your and other members' posts.

 

I second that special request about PFW. It will be welcome by a many the inquisitive minds about here.

That was some heavy interpretation a few posts back as regards stateful firewall implementation within a gateway or business class router. Just had to do a Copy/Paste on that for further review & study.

 

Again a matter of language. IMO the misunderstanding around all of these blocked/allowed - inbound/outbound can be resolved if you add a simple "solicited" or "unsolicited" in front of it (equivalent to your "initiated" and "non-initiated").

 

It actually sounds like it is from a book on how a stateful firewalls should be implemented, rather than how the majority are actually implemented.

It can be good reading books (or making google searches), but a practical approach, by actually testing firewalls packet filtering, gives you actual results of the implementation.


- Stem

 

The first rule in the ruleset must be: "allow all outbound TCP"
The second rule in the ruleset must be: "block all inbound TCP"

In other words:
If the data stream was INITIATED by someone on the INSIDE, (the higher security interface = LAN) Let it pass.
If the data stream was INITIATED by someone from the OUTSIDE (the lower security interface = WAN) Block it.


Admit it Stem, this is the second time I have proven you wrong!


/END

/END SUB


HKEY1952

 

But which firewall? I asked earlier which firewall you are using with the implementation you state.

If for example, you use 8-signs, which is a firewall close to the implementation you mention, then setting those rules will block all Internet, as the replies will be blocked. Or, if easier, try L'n'S, that would also block Internet with such rules.

Try checking rather than guessing.

- Stem

 

The above should read:
The first rule in the ruleset must be: "allow all outbound TCP"
The second rule in the ruleset must be: "block all unsolicited inbound TCP"

Otherwise, some software firewalls will also block the INITIATED connections.

This is what I think Stem tries to explain since some posts...

 

I really dont know why I am waisting my time with this, but anyway,


L'n'S rules (just because I have it set up.)

The main rule to allow Internet connections, will allow outbound and inbound TCP. The rule controls the state table entries.



I change the ruleset and add a rule to "Allow all outbound TCP"



I add a rule to "Block all inbound TCP"



Placed at top of ruleset.




I get blocked from Internet.

This is the log showing the allowed outbound TCP and the replies being blocked.



- Stem

 

This are showing only two things:

1.or do not know to configure the L'n'S

2.or is time to change firewall

Do it very easy with Windows Firewall:



WF get default installed Inbound Connections with Block (Default), Outbound Connections with Allow.

 

That is to block inbound connections (TCP SYN) not to "block all inbound TCP".


You really need to read the thread more carefully. You also need to actually check/test how WF filters packets, rather than just reading about it.

.

 

This block all connections an packed, when I say ALL means ALL, not only TCP, but UDP and ...... alll. You are "expert" and perform test, LOL.

 

They are really hungry on this one. Now where is that UserCP ignore list setting.


- Stem

 

I'd really like to learn something from all you guys since this is an area in which my personal knowledge is sorely lacking...but I truly hope that we can find a way to have this discussion with less sniping and acrimony.

Thanks in advance.

 

I feel like im playing in the middle of a freeway.
Which 3rd party firewall would be the easiest for a non tweeker to use at the present?

 

I totally agree

 

you brought tears to my eyes from laughing so much cause I'm in the same boat with you now the answer to your question it would be one with the best packet filtering.
its not what you read that counts, but what can you remember.

 

Yes, it sucks being the dummy. How does one figure out which firewall has the best packet filtering? dummy out.

 

if you follow Stem posts there is only one firewall Look&stop.

 

And from what I have read hereabouts, not the best recommendation for the non-tweaker...

...Interesting how the one that originated the thread is the one that ends up as roadkill or thrown under the bus (to keep the freeway metaphor going).

(Perhaps there is a place for default settings or ones that can be strengthened via the user interface without an advanced degree or years of hands on experience. One can only hope.)

 

you are absolutely right realized that after posting, as far as the firewall the easiest one that one can Handel would be the one