On Thu, Apr 19, 2001 at 08:28:31PM +0530, Swamy Patil wrote:
> State tables are maintained and checked against SYN,FIN,ACK etc.. but what about
>UDP does it just check against rule base and then give a green orredsignal based on
>the rule base itself?
Yes, for UDP and ICMP State Keeping is nearly as important and do-able as
for TCP. ICMP Messages for example can be filtered if they belong to actual
requests or to existing TCP connections. UDP can be filtered on content and
by keeping track of requests.
There where some issues in the ICMP expect scripts of firewall1, which made
the implementation nearly stateless, but there are third party scripts to
keep good state for ICMP, afaik. Perhaps they are already distributed with
FW1.
Linux has something which is able to relate connections to each other,
enabling you to relate UDP Data to TCP control connections. Also most of the
existing (dyn)NAT implementations do some ICMP processing based on the TCP
state table. Linux for example can also keep State for UDP, ICMP and GRE in
dyn NAT/Masquerading.
Greetings
Bernd
--
www.freefire.org - where the security has a list
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
