Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] Susefirewall2 (v1.2): DNS handling
On Tuesday 03 July 2001 20:12, you wrote:
> Hello,

Sorry if my reaction is very late... I didn't see any replies yet though.

> I've just installed FW-2. The transition from FW-1 to FW-2 was trivial,
> maybe too trivial: Some of the rules should be obsolete by now,
> specially the rules for DNS: Why is "connection" tracking for UDP not
> used?

UDP is, alas, a connection-less protocol, therefore connection-tracking
would be impossible with UDP.
Or, maybe through some genius hack it could be possible to "track" obvious
"answers" to previous packets, but UDP itself is still "stateless".

I do not know if such a thing could be possible, recognizing UDP replies
by examining the packet-workload, but it is impossible from the headers
because it is stateless. IIRC, correct me if I'm wrong.

Maarten


> Ciao
> Jörg

--

Maarten J H van den Berg
van Boetzelaer van Bemmel, informatie- en netwerktechnologie
http://vbvb.nl T 020-4233288 F 020-4233286 G 06-51994273

< Previous Next >
References