If established connections don't time out for a default of i believe it was 5 days, and you have a high risk server in a DMZ then once you connect to that server your connection is considered established for 5 days. So if your statefull firewall is set to allow established connections through wouldn't that defeat the purpose of having a server in the DMZ?

Why would you be using state in the rules to establish the DMZ when a DMZ in inherently stateless?

Originally posted by stiles
Why would you be using state in the rules to establish the DMZ when a DMZ in inherently stateless?

Thanks

I'm not sure that would defeat the purpose of having a server in your DMZ, since your DMZ should be seperating your high risk, internet-accessible hosts from your more protected LAN. Whether or not your DMZ rules are stateless, is another question entirely. Why wouldn't you make them stateful if it is possible? Statefull is, after all, much more secure. If your firewall does not check packets against a state table then it may be possible to trojan/backdoor some internal or DMZ hosts and connect to them through an ACK tunnel. Many stateless firewalls let packets with the only the ACK flag set in the header fly through under the assumption that they are part of an established session. Some poorly written rulesets only run checks against packets with the syn flag set. Imagine this: your rules are configured to let all internal (LAN and DMZ) hosts use http (this is extremly common and almost necessary in most orginizations). Well, then an ack tunnel can be created between a remote host and a compromised host on your network simply by establishing a connection from port 80 on the attacking host to whatever host the backdoor is running on on the compromised machine. Stateless = bad under all considerations, in my opinion.