That's the "keep state" of ip filter, and as Carson says, every stateful
filter handles this.
The difference with TCP is that a malicious user can inject packets
if he manages to send'em while you're waiting for a reply. Unlike TCP,
UDP provides no state nor sequence numbers. so one can forge
"replies" easily. This is possible even with TCP in the case of implementations
that incompletely handle the TCP state and/or sequence numbers. and it
seems such impementations exist:)
once again, proxies are the way since as applications, they manage the state
completely, and having replies get back to the FW allows more control than when
they go to "normal" hosts. Note that bind is a proxy!
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
