On Thu, 7 Dec 2000, Avishai Wool wrote:
> In your "Understanding the FW-1 State Table" paper
> http://www.enteract.com/~lspitz/fwtable.html
> you write that FW-1 statefully inspects UDP, i.e.,
> it will accept returning UDP packets if they match an existing
> src-ip/src-port/dst-ip/dst-port tuple that's already in the
> state table (up to a timeout period).
>
> Doesn't this behavior depend on the setting of the "Accept UDP Replies"
> property?
Good question, so I did some testing. First the docs say this about
the "Accept UDP Replies" button:
"When a UDP service connection is accepted on the destination
and Enable UDP Replies is active, the reply channel is allowed.
Only packets from the destination host and port as part of this
communication"
This implies if you disable the "Accept UDP Replies" service,
then return UDP packets will be dropped (such as in a DNS lookup)
unless you build a second rule that specifically allows the return
packet. I confirmed this behavior on FW 4.1 SP2.
However, I found two things odd.
1. The UDP packet was still entered into the state table, even
though "Accept UDP Replies" is disabled. Apparently these entries
are ignored.
---- FW-1 CONNECTIONS STATE TABLE ---
Src_IP Src_Prt Dst_IP Dst_Prt IP_prot Kbuf Type Flags Timeout
192.168.1.100 1712 192.168.1.254 22 6 0 16385 01ffff00 3599/3600
192.168.1.100 1708 192.168.1.254 258 6 0 16385 01ffff00 3542/3600
192.168.1.10 3393 207.229.143.1 0 17 0 16386 0103ff00 12/40
192.168.1.10 3393 207.229.143.1 53 17 0 16386 0103ff00 12/40
192.168.1.100 1704 207.126.127.75 80 6 0 16385 0103ff00 3485/3600
2. The return UDP packet is dropped, however it is NOT logged until the time
has expired in the state table.
Hope this helps ...
lance
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Received on Dec 09 2000
Intro
