Can anybody tell me what im doing wrong or is it a fact that the statefull inspection is not working properly?
The problem: I always have to create two rules to get a connection working. For example, i want to setup an allow rule from eth4 (outside) any to eth3 (dmz) 172.16.30.22 port 25. To get this active i need to make the following two(!) rules:
ETH04 ETH03 ACCEPT tcp opt — in ETH04 out ETH03 0.0.0.0/0 -> 172.16.30.22 state NEW,ESTABLISHED tcp dpt:25
ETH03 ETH04 ACCEPT tcp opt — in ETH03 out ETH04 172.16.30.22 -> 0.0.0.0/0 state NEW,ESTABLISHED tcp spt:25
Where i would expect that one rule would be enough as long as you select the New and Established connection options.
IMHO, everything is OK. Two rules required.
Rules describing packets for DIFFERENT interfaces.
This statefull inspection NOT to have to know about reverse traffic.
The first rule allow traffic from eth04 to eth03 interfaces WITH DEFINED STATE (new or established), but traffic from eth03 to eth04 is undefined at all. May be, there are no reverse packets to initiating port on eth04, but there is a traffic to new port – aka RELATED. Statefull inspection works with such state definitions only.
Are your xKerio-user? It’s true, many ms-windows firewalls do that – only one direction of traffic must be defined, but there are TWO hidden rules inside.
Sorry for my English, I hope, main of my post is clear 😳
I thought if i – for example – define a rule from eth04 (outside) to eth03 (dmz) to allow rdp (3389) to a host, the firewall inspects the session and if it is established it allows the way back automatically. It is afterall established, but in this case, the way back if have to define myself with a second rule.
PS:”No, im not a xKerio-user, in fact… i dont even know what that is … 😆 “.