Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW-1 Stateful Inspection of UDP?

From: Lance Spitzner <lance () spitzner net>
Date: Thu, 7 Dec 2000 15:47:33 -0600 (CST)
On Thu, 7 Dec 2000, Avishai Wool wrote:


In your "Understanding the FW-1 State Table" paper 
  http://www.enteract.com/~lspitz/fwtable.html
you write that FW-1 statefully inspects UDP, i.e., 
it will accept returning UDP packets if they match an existing
src-ip/src-port/dst-ip/dst-port tuple that's already in the 
state table (up to a timeout period).

Doesn't this behavior depend on the setting of the "Accept UDP Replies"
property? 


Good question, so I did some testing.  First the docs say this about
the "Accept UDP Replies" button:

"When a UDP service connection is accepted on the destination
and Enable UDP Replies is active, the reply channel is allowed.
Only packets from the destination host and port as part of this
communication"

This implies if you disable the "Accept UDP Replies" service,
then return UDP packets will be dropped (such as in a DNS lookup)
unless you build a second rule that specifically allows the return
packet.  I confirmed this behavior on FW 4.1 SP2.

However, I found two things odd.

1.  The UDP packet was still entered into the state table, even
though "Accept UDP Replies" is disabled.  Apparently these entries
are ignored.

                                 ---- FW-1 CONNECTIONS STATE TABLE ---


Src_IP          Src_Prt Dst_IP          Dst_Prt IP_prot Kbuf    Type    Flags           Timeout

192.168.1.100   1712    192.168.1.254   22      6       0       16385   01ffff00        3599/3600
192.168.1.100   1708    192.168.1.254   258     6       0       16385   01ffff00        3542/3600
192.168.1.10    3393    207.229.143.1   0       17      0       16386   0103ff00        12/40
192.168.1.10    3393    207.229.143.1   53      17      0       16386   0103ff00        12/40
192.168.1.100   1704    207.126.127.75  80      6       0       16385   0103ff00        3485/3600

2.  The return UDP packet is dropped, however it is NOT logged until the time
has expired in the state table.


Hope this helps ...

lance


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: