Firewall Wizards mailing list archives

FW-1 Stateful Inspection of UDP?

From: Avishai Wool <yash () lumeta com>
Date: Thu, 07 Dec 2000 16:24:42 -0500

Lance,

In your "Understanding the FW-1 State Table" paper 
  http://www.enteract.com/~lspitz/fwtable.html
you write that FW-1 statefully inspects UDP, i.e., 
it will accept returning UDP packets if they match an existing
src-ip/src-port/dst-ip/dst-port tuple that's already in the 
state table (up to a timeout period).

Doesn't this behavior depend on the setting of the "Accept UDP Replies"
property? 

According to http://www.phoneboy.com, if this property is set to FALSE,
FW-1 does NOT do stateful inspection of UDP. 

Actually, I think that disabling the "accept UDP replies" is a 
bad thing, if you plan on letting any type of bidirectional UDP 
sessions thru the firewall: if it's disabled, you have to filter 
the replies based on their source port numbers, which can easily 
be spoofed. Do you know of any situation when you'd actually want 
to disable UDP replies? 

Avishai
-- 
Avishai Wool, Ph.D.,   Chief Scientist & Co-Founder, Lumeta Corp.
600 Mountain Avenue, Room 2F-112,  Murray Hill,  NJ  07974,  USA 
http://www.lumeta.com   Research: http://www.bell-labs.com/~yash/
Email: yash () lumeta com  Tel: (908) 582-6576   Fax: (908) 582-8129

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

FW-1 Stateful Inspection of UDP? Avishai Wool (Dec 08)
- Re: FW-1 Stateful Inspection of UDP? Lance Spitzner (Dec 08)