>Is it necessary within the rule base to
provide for a connection going both ways?
>In other words if i need http access for the
entire network is it required to do thefollowing two
rules:
>
>Rule X: Network
Any Http
Accept
>Rule
Y: Any Network
Http Accept
>
>Wouldn't just having the first one allow
Http to work both ways requests going out and requested data and acks
coming in?
>
Yes, the first rule should allow response packets to come
back in and you don't need to implement Rule Y. Rule Y would allow ANYONE
to initiate HTTP connections to ALL systems on your network. (Bad
idea)
Stateful inspection is setup to keep track of
connections and allow responses to established UDP and TCP connections to come
back in.
TCP
sessions time out based on what you have set in your Policy Properties' Security
tab (TCP Session Timeout - defaults to 3600sec). Also, you may allow UDP
responses for UDP connections (UDP virtual session timeouts - defaults to
40sec).
Is it necessary within the rule base to provide
for a connection going both ways? In other words if i need http access
for the entire network is it required to do the following two
rules:
Rule X: Network
Any Http
Accept
Rule
Y: Any Network
Http Accept
Wouldn't just having the first one allow Http to
work both ways requests going out and requested data and acks coming
in?
Thanks,
Ryan
Realivasquez
|