On Jun 6, 2011, at 2:14 PM, Christopher Slater-Walker wrote: > I don't know how ip6tables works, but most (all?) commercial firewalls I've > worked with - which means Cisco and Checkpoint - maintain a connection in the > connection table for UDP for a set period of time.
They _can_ maintain UDP state in their connection tables. It's a reasonable idea for low-traffic-volume UDP services, but it adds packet handling delay which is undesirable for NTP. > Exactly how long that is, I can't actually remember right now. This is really > a necessity in a firewall, since once a firewall rule has allowed a UDP flow > to pass in one direction, the response to that flow also has to be allowed > through the firewall in the opposite direction. It is not necessary in this > context to create separate rules for each direction where the traffic is part > of the same UDP connection. Before firewalls widely implemented connection state tracking, people implemented bidirectional rules which permitted both originating and responding traffic to pass. They also tended to implement per-protocol proxies for traffic which enforced protocol compliance, rather than the more "modern" approach of just implementing a stateful packet-filtering router which has been lightly salted with "deep packet inspection" or whatever the latest buzzword is. It's amazing how many supposed firewalls will permit arbitrary traffic going by over ports 80 and 443, regardless of whether it actually is HTTP(S) or being used for BitTorrent, an IRC channel for malware, or whatever else. Regards, -- -Chuck _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
