RRAS packet filtering, what isTCP(established)?

[Charles Knell]

I'm experimenting with RRAS as a primitive firewall. In
the RAS MMC snap-in under the IP filter edit dialogue,
there is a choice in the Protocol: drop-down control, "TCP
[established]". I can't find a reference to describe
exactly what this means. If it means what I hope it means,
it will solve a problem. Can anyone tell me how this
option is different from just plain "TCP"? Thanks.

 

[Dusty Harper {MS}]

TCP Established is a connection that has gone through the TCP 3-way
handshake. after the final ACK, the TCP connection is said to be
established.

 

[Charles Knell]

If I were to establish a filter that prevented all traffic
except TCP[established], how would the handshake get
started?

-----Original Message-----
TCP Established is a connection that has gone through the TCP 3-way
handshake. after the final ACK, the TCP connection is said to be
established.

--
--
Dusty Harper
Microsoft Corporation
---------------------------------------------------------- ------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
---------------------------------------------------------- ------------------

I'm experimenting with RRAS as a primitive firewall. In
the RAS MMC snap-in under the IP filter edit dialogue,
there is a choice in the Protocol: drop-down control, "TCP
[established]". I can't find a reference to describe
exactly what this means. If it means what I hope it means,
it will solve a problem. Can anyone tell me how this
option is different from just plain "TCP"? Thanks.

.

 

[Dusty Harper {MS}]

If you deny the traffic that would stop the handshake, then you wouldn't get
into an established state
--
--
Dusty Harper
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------

If I were to establish a filter that prevented all traffic
except TCP[established], how would the handshake get
started?

-----Original Message-----
TCP Established is a connection that has gone through the TCP 3-way
handshake. after the final ACK, the TCP connection is said to be
established.

--
--
Dusty Harper
Microsoft Corporation
---------------------------------------------------------- ------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
---------------------------------------------------------- ------------------

I'm experimenting with RRAS as a primitive firewall. In
the RAS MMC snap-in under the IP filter edit dialogue,
there is a choice in the Protocol: drop-down control, "TCP
[established]". I can't find a reference to describe
exactly what this means. If it means what I hope it means,
it will solve a problem. Can anyone tell me how this
option is different from just plain "TCP"? Thanks.

.

 

[Charles Knell]

That much I suspected, so in what circumstances would I
use TCP[established]?
It makes no sense to permit only TCP[established], because
before the connection was established, no packets would
get through. On the other hand, to deny TCP[established]
makes no sense to me either.

-----Original Message-----
If you deny the traffic that would stop the handshake, then you wouldn't get
into an established state
--
--
Dusty Harper
Microsoft Corporation
---------------------------------------------------------- ------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
---------------------------------------------------------- ------------------

If I were to establish a filter that prevented all traffic
except TCP[established], how would the handshake get
started?

-----Original Message-----
TCP Established is a connection that has gone through

the
TCP 3-way

handshake. after the final ACK, the TCP connection is said to be
established.

--

---
------------------

This posting is provided "AS IS", with NO warranties

and
confers NO rights

-------------------------------------------------------

---
------------------

I'm experimenting with RRAS as a primitive firewall. In
the RAS MMC snap-in under the IP filter edit dialogue,
there is a choice in the Protocol: drop-down control, "TCP
[established]". I can't find a reference to describe
exactly what this means. If it means what I hope it means,
it will solve a problem. Can anyone tell me how this
option is different from just plain "TCP"? Thanks.


.

.

 

[Bill Grant]

Basically, the setting is to allow traffic for a session which has been
established by this machine to pass, but to prevent some outside machine
from establishing a session. So it allows a reply to come in, but not an
initiating request.

You need to get down to the details of how a TCP session is established
(SYN, SYN-ACK and ACK) to see how this works.

 

[Charles Knell]

Thanks. That's what I thought it meant, but couldn't find
it stated so clearly. What I need to do is allow machines
outside the firewall to connect to an Oracle database on a
Windows host inside the firewall.

On Windows (unlike on Unix/Linux) while the initial
connection is made with a listener process on a fixed
port, the listener then sends a message back to the Oracle
client directing it to communicate on another randomly-
selected non-priviledged port (i.e., in the range of 1025-
65,536).

So I'll need to set up my filters to permit packets to
enter on the fixed port number and forward them to the
same port on the Windows/Oracle host. I'll then set a rule
permitting TCP[established] packets destined for my
Windows/Oracle host to enter on any port. Does that sound
right?

-----Original Message-----
Basically, the setting is to allow traffic for a session which has been
established by this machine to pass, but to prevent some outside machine
from establishing a session. So it allows a reply to come in, but not an
initiating request.

You need to get down to the details of how a TCP session is established
(SYN, SYN-ACK and ACK) to see how this works.

I'm experimenting with RRAS as a primitive firewall. In
the RAS MMC snap-in under the IP filter edit dialogue,
there is a choice in the Protocol: drop-down control, "TCP
[established]". I can't find a reference to describe
exactly what this means. If it means what I hope it means,
it will solve a problem. Can anyone tell me how this
option is different from just plain "TCP"? Thanks.

.

 

[Bill Grant]

If you open up too many ports, you defeat the purpose of having a
firewall in the first place. I would look at some way to make a secure
connection through the firewall for these clients. Have you looked at VPN?
That way all traffic is encrypted and is not seen by the firewall filters.
The firewall only see the "wrapper" on the packet.

Thanks. That's what I thought it meant, but couldn't find
it stated so clearly. What I need to do is allow machines
outside the firewall to connect to an Oracle database on a
Windows host inside the firewall.

On Windows (unlike on Unix/Linux) while the initial
connection is made with a listener process on a fixed
port, the listener then sends a message back to the Oracle
client directing it to communicate on another randomly-
selected non-priviledged port (i.e., in the range of 1025-
65,536).

So I'll need to set up my filters to permit packets to
enter on the fixed port number and forward them to the
same port on the Windows/Oracle host. I'll then set a rule
permitting TCP[established] packets destined for my
Windows/Oracle host to enter on any port. Does that sound
right?

-----Original Message-----
Basically, the setting is to allow traffic for a session which has been
established by this machine to pass, but to prevent some outside machine
from establishing a session. So it allows a reply to come in, but not an
initiating request.

You need to get down to the details of how a TCP session is established
(SYN, SYN-ACK and ACK) to see how this works.

I'm experimenting with RRAS as a primitive firewall. In
the RAS MMC snap-in under the IP filter edit dialogue,
there is a choice in the Protocol: drop-down control, "TCP
[established]". I can't find a reference to describe
exactly what this means. If it means what I hope it means,
it will solve a problem. Can anyone tell me how this
option is different from just plain "TCP"? Thanks.

.