Firewall
BAT54-Rail/F..
Release
7.54
06/08
8.3
The BAT Firewall
263
U UDP connections
UDP is actually a stateless protocol, nevertheless one can speak regarding
UDP-based protocols also of a (only short term) connection, since UDP
mostly carries Request/Response based protocols, with which a client di-
rects its requests to a well known port of a server (e.g. 53 for DNS), which in
turn sends its responds to the source port selected by the client:
However, if the server wants to send larger sets of data (e.g. TFTP) and
would not like or can not differentiate on the well known port between re-
quests and acknowledges, then it sends the response packets to the source
port of the sender of the original request, but uses as its own source port a
free port, on which it reacts now only to those packets, which belong to the
data communication:
While the data communication takes place now over the ports 12345 and
54321, the server on the well-known port (69) can accept further requests. If
the BAT pursues a "Deny All" strategy, the answer packets of an entry of the
port filter Firewall, which permits only a connection to port 69 of the server,
would simply be discarded. In order to prevent this, when creating the entry
in the connection state database, the destination port of the connection is
kept free at first, and set only with the arrival of the first answer packet,
whereby both possible cases of an UDP connection are covered.
Client port Connection Server port
12345
Request
53
12345
Response
53
Client port Connection Server port
12345
Request
69
12345
Response
54321
12345
Ack/Data
54321
12345
Data/Ack
54321
To Next Page
Loading...
Need help?
General
