[afnog] how statefull firewall works for udp?
Frank Habicht
geier at geier.ne.tz
Sat Jan 22 07:44:35 UTC 2011
On 1/21/2011 9:39 PM, Tarig Ahmed wrote:
> Dear All
> Hi
>
> Default configuration for statefull firewall is to allow traffic form
> TRUST ZONE to UNTRUST ZONE.
>
> As I Know those device will use some feilds in the TCP Header.
>
> But, how the firewall will handle this policy for none TCP traffics
> (udp, icmp, and IPsec)?
>
> I think understanding this will help me in the designing.
>
> Thanks
Hi,
any checking on headers can be done directly by looking at the packet.
"stateful" means that the that the firewall keeps (memorises) the
"state" of connection (for some time), for example if there was an
earlier outgoing request, for which this packet now might be the answer.
A stateful firewall can then be configured to allow a udp packet from
port 53 of i.root-servers.net to your inside local host "dns-resolver"
_only_ if there was an earlier outgoing (query) from the "dns-resolver"
to i.root-servers.net port 53 udp.
As an example.
Speculation:
the firewall could possibly be set to allow IPSEC traffic in to your
trusted zone, only if there was previous outgoing traffic from your
trusted zone to those IPs [and it has 'kept the state' - still knows
about it].
Frank
More information about the afnog
mailing list