UDP and "-m state --state xxx"? (Re: [suse-security] Looking for a secure time service)

Andreas Baetz wrote:
iptables -t filter -A INPUT -i <your interface> -m state -p udp [...] --state ESTABLISHED
There, you got me confused. I'm a freshman in the firewall arena, and although I can understand that "-m state --state xxx" makes sense with TCP (which opens and closes _directed_ connections actively), I don't know if and how this makes sense with UDP. If I'm not mistaken, UDP is undirected and has no notion of "NEW" or "ESTABLISHED", or has it? Mit freundlichen Grüssen / Regards Dipl. Inform. Ralph Seichter ISC Informatik Service & Consulting GmbH Tel +49 2241 867-0 mailto:r.seichter@isc-inf.com Fax +49 2241 867-222 http://www.isc-inf.com/

On Wednesday 29 August 2001 10:00, Ralph Seichter wrote:
Andreas Baetz wrote:
iptables -t filter -A INPUT -i <your interface> -m state -p udp [...] --state ESTABLISHED
There, you got me confused. I'm a freshman in the firewall arena, and although I can understand that "-m state --state xxx" makes sense with TCP (which opens and closes _directed_ connections actively), I don't know if and how this makes sense with UDP. If I'm not mistaken, UDP is undirected and has no notion of "NEW" or "ESTABLISHED", or has it?
according to the manual and to my tests it not only works for tcp, but also for udp and icmp (for what else, I don't know) The kernel keeps track of conections (module conntrack AFAIK), so when e.g. a udp packets leaves on a port x to server y Port z, and there comes a udp packet back from server y Port z to port x, that incoming packet is regarded as an answer to the first and the state is "ESTABLISHED" (there is a certain time the answer packet is allowed in, I think). Same for icmp. Here we have echo-request as outgoing (NEW) and echo-reply as incoming (ESTABLISHED). Makes rules much easier compared to ipchains. That is what sometimes is called "stateful". Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
participants (2)
-
Andreas Baetz
-
Ralph Seichter