[135329] in North American Network Operators' Group
Re: how statefull firewall works for udp?
daemon@ATHENA.MIT.EDU (Blake Hudson)
Fri Jan 21 14:40:37 2011
Date: Fri, 21 Jan 2011 13:40:33 -0600
From: Blake Hudson <blake@ispn.net>
To: "nanog@nanog.org list" <nanog@nanog.org>
In-Reply-To: <BLU0-SMTP53809E496540FA4BD76743BBF80@phx.gbl>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
These protocols have their own headers, as well as the IP header that
the firewall can use to maintain state. The difference between them and
TCP is that these protocols are connectionless. Thus, the firewall does
not know when the connection has closed. The typical solution to this is
to have an arbitrary (often user configurable) timer that allows the
firewall to remove old connections from the firewall's state table. A
similar process also occurs with TCP, albeit with a much longer timeout,
because of the possibility of connections not being closed correctly.
--Blake
-------- Original Message --------
Subject: how statefull firewall works for udp?
From: Tarig Ahmed <tariq198487@hotmail.com>
To: nanog@nanog.org list <nanog@nanog.org>, African Network Operators
<afnog@afnog.org>
Date: Friday, January 21, 2011 12:39:51 PM
> Dear All
> Hi
>
> Default configuration for statefull firewall is to allow traffic form
> TRUST ZONE to UNTRUST ZONE.
>
> As I Know those device will use some feilds in the TCP Header.
>
> But, how the firewall will handle this policy for none TCP traffics
> (udp, icmp, and IPsec)?
>
> I think understanding this will help me in the designing.
>
> Thanks
>
