SRX

hi all

since long i have understanding about firewalls that when applying security policy from zone A to zone B allows traffic only from zone A to zone B,,its a unidirectional traffic is allowed only  and not bidirectional trafffic for geting any trafic from zone B to zone A unless we explicity apply security  policy from zone B to zone A aswell...please correct me if i m wrong...

e,g, this implies for when a client in zone A sends a request to server in zone B,,, server reply of requests being initiated from zone B to zone A will not be allowed by firewall to be passed unless a specific policy is also applied in opposite direction too....

thtswhy i always apply security policies in both direction always...

m i correct or do i need to know something more here???

please reply in detail,,preferebly refer some  to the point document in support that can help me to make myself clear...

It's quite simple: a statefull firewall is statefull. The direction is relevant in allowing the session. Return trafiic for a existing session is allways allowed by the same policy!!

So: policy trust to untrust  allows users to initate sessions to the internet, and allows server to respond. But of course we don't allow internet users to create sessions to us!!!

You only look at initiating the session for finding the right zones.

thnx screenie for nice elaboration

For completeness, what you describe is how a stateless firewall would work.

Therefore those usually allow return traffic by checking for tcp SYN flags to allow traffic belonging to an already set-up session through while blocking new attempts at creating sessions.

Obviously stateful firewalls make this decidedly easier to properly secure.