confused with firewall configuration required

[molecul3]

Hi all,

excuse my ignorance but i have a question in regards to firewalls. If there is an application on host A which needs to talk to host B on port 443, and host B will respond to queries from the application, does this require port 443 to only be opened one way from host A to host B, or bi-directionally.

Thanks in advance

 

[brianinms]

You answered your own question. Bidirectional

 

[molecul3]

Hi Brianinms,

Thanks for your reply. I am confused due to the fact that host b would not actually be establishing any HTTPS sessions to host a. Only host a will be establishing the initial session. Once the initial session is established, wouldn't the communication still work without port 443 being opened from host b to host a? I hope I am making some sense.

 

[brianinms]

Well it would depend on the firewall and the actual configuration as most firewalls allow all outbound traffic by default. Host A will use a port greater than 1024 to connect to Host B on port 443. If Host B wasn't allowed to send traffic out the firewall on port 443 then there would be no response.

 

[molecul3]

Hi Brianinms,

Thanks again for your reply. So, to sum up what I have understood from all this, in a "typical" environment or infrastructure, if host a wants to talk to host b, the incoming port on the firewall in front of host b needs to be opened. if host b needs to reply, outgoing traffic on the firewall is usually unblocked so there is no need for a rule in the other direction. Is this correct?

 

[Supergrrover]

smyap3,
You are correct in your assumption.
If host A outside the firewall initiates a connection to host B on the inside on the firewall, Host A's source port will be >1024 with the destination of Host B's IP on port 443. The firewall does not need to allow port 443 from the inside to the outside for this to work. It just needs to allow Host A's source port outbound - which is what Host B will reply with. Now most firewalls do allow all traffic outbound but even if you explicitly block port 443 outbound this will still work as long as Host A's source port is not blocked.




Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[molecul3]

Hi Brent,

Thank you for your explanantion. It looks much clearer to me now. From a PIX point of view, how do we know which ports or port ranges (inbound and outbound) have been blocked? All of the firewalls we have in the company have been configured (not by me) and I would like to be able to read through the config and understand what is going on and start getting some hands on in PIXs.

P.s. Would you have any recommendations or links to documents that provide an overview for this sort of port communication and/or understanding firewalls?

 

[Supergrrover]

To see what is blocked you will need to read through the ACLs on the pix and see what interface that ACL is applied to. The ACL's inspect traffic coming into the interface (not going out of it) and there is an implicit deny everything at the end of the ACL.

This is a link to everything Cisco firewalls can do.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

It will give you all the basics and a lot more.
As always if you have specific questions, just create a new thread. There's always lots of people to help.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[molecul3]

Thanks Brent. You were a big help. Much appreciated.