FW-1 "allow outbound"

From: Cannella, Michael (ISS Southfield) (mcannellat_private)
Date: Tue Jan 18 2000 - 07:58:10 PST

Next message: James Wilson: "Blocking scanning from outside"

Previous message: Moore, James: "RE: Firewall host configuration"
Next in thread: dwelchat_private: "Re: FW-1 "allow outbound""
Reply: dwelchat_private: "Re: FW-1 "allow outbound""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: TC Wolsey [mailto:twolseyat_private] Monday, January 17, 2000 12:12
PM
>A question for the list while I am on the subject of FW-1. Does anybody
know why the
>'Allow outbound connections' property has to be set on FW-1/NT for the fw
to pass any
>traffic? In my experience this property has the advertised effect on the
Solaris
>platform but will stop all traffic dead in the water if not enabled on the
NT platform. 
>With no logging, ICMP or TCP notification - just a gaping black hole) Does
the fw module
>handle all IP forwarding through itself (which allows the control of
forwarding) and 
>forwarded packets are seen by the fw module as sourced by the local
machine? That is the 
>only behavior that I can think of that makes sense in light of what my
experience with 
>FW-1 has been. 


I have seen the same behavior difference between Solaris and NT, but only
with http.  With telnet, for example, both seem to behave the same way.  And
I have no explanation for why that occurs, although, for once, it's NT that
exhibits the safer behavior.


The issue at hand, though, is interface direction.  If the interface
direction is set to "inbound," packets are inspected against the policy
properties _and_ the rulebase on their way in to the firewall.  On the way
out from the firewall, they are inspected against the policy properties
only--if there is no rule to pass them in the policy properties, they hit
the _implicit_ clean-up rule, which drops everything, and doesn't log.

"Allow outbound" adds an implicit rule that allows all traffic out from the
firewall.  Being a policy property, it's enforced on both inbound and
outbound interfaces, and not logged.  

If interface direction is set to "eitherbound," all rules are enforced at
both interfaces, so your accept rules take care of it for themselves.  



This problem is quite apropos your comment about the (ahem) "limitations" of
the Checkpoint docs, which are somewhat misleading:

- the policy property help expressly indicates that the "allow outgoing"
checkbox does not apply to traffic from the internal network.

- the help for "outgoing connections" says--a bit more accurately--that
traffic will only be allowed out from the firewall if either

    *  "allow outgoing" is checked
or
    *  interface direction is set to "eitherbound," and there is a rule that
allows the
       traffic out.


Anyone have any insight into the OS difference?



-----michael cannella  mailto:mcannellaat_private
-----Internet Security Systems, eServices
-----http://www.iss.net/

Next message: James Wilson: "Blocking scanning from outside"
Previous message: Moore, James: "RE: Firewall host configuration"
Next in thread: dwelchat_private: "Re: FW-1 "allow outbound""
Reply: dwelchat_private: "Re: FW-1 "allow outbound""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:15 PDT