Hello, Matthew Babcock a écrit : > Please excuse the delayed response.
No problem. > To answer your question, no I cannot, yet. > > However, I can demonstrate iptables following what the "state" be on UDP > packets using DNS. [...] > You should see as I do, that the UDP DNS request are logged under the > state NEW, and that the response was logged under the state ESTABLISHED. Nothing new here. UDP possible states are : - NEW for a datagram creating a new connection or belonging to a "connection" which has seen traffic only in one direction ; - ESTABLISHED for a datagram belonging to a "connection" which has seen traffic in both directions ; - RELATED when a conntrack helper expects a UDP datagram related to an existing connection (e.g. TFTP or SIP). Note that this is not specific to UDP, conntrack does the same with all connectionless protocols. > I consider this, iptables differentiating between "New" and > "Established" UDP "connections", reason to extrapolate that iptables can > follow state in UDP packets such as flagging on "Invalid" or out of > state UDP packets. UDP is connectionless by nature, so how would you define the INVALID state of a UDP datagram ? > I aim to try and create an "Invalid" UDP state packet. I will follow up > if I try regardless of the outcome. Good luck. I meant it. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
