Re: stateful inspection

[JS Wong]

For the firewalls I've played with, at least, stateful inspection doesn't work for the UDP protocol because it's connectionless. Stateful inspection allows traffic to be initiated only in one direction, e.g. by allowing only a request from a transient port (above 1023) to port 80, client to server, this prevents someone from tunneling a connection through an otherwise legitimate connection (for web access) by initiating the connection first from the attacker's port 80 to a user's transient port. If I'm not mistaken, stateful inspection knows the "direction" of the traffic initiation by checking out a three-way TCP handshake. UDP doesn't have such handshaking procedure, hence any UDP traffic that needs to be allowed through a stateful packet filter has to be "stateless", e.g. for DNS, you have to have two filter lines - Client to server: UDP>1023 to UDP=53, and server to client: UDP=53 to UDP>1023. I hope this helps. Regards, JS Wong Swamy Patil wrote: can any one answer this question about stateful inspection State tables are maintained and checked against SYN,FIN,ACK etc..  but what about UDP does it just check against rule base and then give a green orredsignal based on the rule base itself? ThanQ all those giving the reply for earlier mail - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]