Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: FW-1 Stateful Inspection of UDP?

FW-1 Stateful Inspection of UDP?

From: Avishai Wool <yash_at_lumeta.com>
Date: Thu, 07 Dec 2000 16:24:42 -0500

Lance,

In your "Understanding the FW-1 State Table" paper
  http://www.enteract.com/~lspitz/fwtable.html
you write that FW-1 statefully inspects UDP, i.e.,
it will accept returning UDP packets if they match an existing
src-ip/src-port/dst-ip/dst-port tuple that's already in the
state table (up to a timeout period).

Doesn't this behavior depend on the setting of the "Accept UDP Replies"
property?

According to http://www.phoneboy.com, if this property is set to FALSE,
FW-1 does NOT do stateful inspection of UDP.

Actually, I think that disabling the "accept UDP replies" is a
bad thing, if you plan on letting any type of bidirectional UDP
sessions thru the firewall: if it's disabled, you have to filter
the replies based on their source port numbers, which can easily
be spoofed. Do you know of any situation when you'd actually want
to disable UDP replies?

Avishai 

-- 
Avishai Wool, Ph.D.,   Chief Scientist & Co-Founder, Lumeta Corp.
600 Mountain Avenue, Room 2F-112,  Murray Hill,  NJ  07974,  USA 
http://www.lumeta.com   Research: http://www.bell-labs.com/~yash/
Email: yash_at_lumeta.com  Tel: (908) 582-6576   Fax: (908) 582-8129
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Dec 09 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]