JS Wong wrote:
For the firewalls I've played with, at least, stateful inspection doesn't
work for the UDP protocol because it's connectionless. Stateful inspection
allows traffic to be initiated only in one direction, e.g. by allowing only a
request from a transient port (above 1023) to port 80, client to server, this
prevents someone from tunneling a connection through an otherwise legitimate
connection (for web access) by initiating the connection first from the
attacker's port 80 to a user's transient port. If I'm not mistaken, stateful
inspection knows the "direction" of the traffic initiation by checking out a
three-way TCP handshake. UDP doesn't have such handshaking procedure, hence
any UDP traffic that needs to be allowed through a stateful packet filter has
to be "stateless", e.g. for DNS, you have to have two filter lines - Client
to server: UDP>1023 to UDP=53, and server to client: UDP=53 to UDP>1023. I
hope this helps.
Regards,
JS Wong
Swamy Patil wrote: can any one answer this question about stateful inspection
State tables are maintained and checked against SYN,FIN,ACK etc.. but what
about UDP does it just check against rule base and then give a green
orredsignal based on the rule base itself? ThanQ all those giving the reply
for earlier mail
There is a way to get a pseudo state with UDP by using the IP Identifier with
the source port field to make a key for your state table, This works for UDP
services that allow an ephemeral source port and don't mangle IP identification
on reply.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
