[f-nsp] UDP 'established' ACL?
David Miller
dmiller at metheus.org
Thu Mar 31 20:47:52 EDT 2011
On 3/31/11 5:06 PM, David Miller wrote:
To those who kindly reminded me that UDP is stateless, thank you.
I know UDP is stateless. Firewalls, however, keep track of UDP packets
sent - for short periods - so that packets can be returned. DNS, voip,
and other applications would break if the firewall didn't do this.
That's how I'd like snmp to work here: snmp server on the secure network
selects a random port, sends a UDP packet from that port to the
monitored system on 161. Then the SI should know to allow the returned
packet through. Instead, the packets get blocked going back to the
random port.
Sorry to not communicate this clearly the first time:)
--- David
> Serveriron running 10.2.01oTI4
>
> My setup is a more secure layer with utilities and databases, and a
> layer for the boxes that have to talk to the 'net.
>
> I currently have an ACL that lets a more-secure box establish TCP
> connections to the less secure layer:
>
> permit tcp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>
>
> I'm installing SNMP now, and would like to have the equivalent rule
> for UDP - IE, any host on the more secure layer able to send UDP
> packets and get the response back. I tried this:
>
> permit udp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255 established
>
> and it doesn't raise any syntax errors, but it doesn't allow packets
> to return to the snmp box.
>
> What am I missing here?
>
> Thanks,
>
> --- David
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
More information about the foundry-nsp
mailing list