Re: bind() udp behavior 2.6.8.1

• Previous message: Jan Engelhardt: "Re: how to add 32/64 compatible ioctls at runtime via module?"
• In reply to: Jan Engelhardt: "Re: bind() udp behavior 2.6.8.1"
• Next in thread: Jan Engelhardt: "Re: bind() udp behavior 2.6.8.1"
• Reply: Jan Engelhardt: "Re: bind() udp behavior 2.6.8.1"
• Reply: Wichert Akkerman: "Re: bind() udp behavior 2.6.8.1"
• Reply: Willy Tarreau: "Re: bind() udp behavior 2.6.8.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Date:	Tue, 14 Dec 2004 12:38:02 -0500

i am aware that UDP is connectionless. However in terms of a firewall
this is different. It _must_ keep a state table of some sorts otherwise
high port outbound connections destined for a DNS server will never be
let back in b/c the firewall will just say "Why is this dns server
making a udp connection to port 32768 on this client?". Keeping a state
table allows this behavior thru the firewall as it should.

My issue is that linux is not randomizing or incrementing the ports it
uses for udp connections to prevent this sort of issue since udp is
connectionless. We dont have sequence numbers or the sorts like TCP to
sort this out, we only have source ip and port.

Other OS's seem to do this and thus apps are not getting broken when
connections are made thru the firewall, which is why i originally posted
the question. I was hoping that maybe there is some workaround or that
hopefully someone else encountered this issue. I am not saying the
firewall is not totally to blame, but i can see why it is behaving the
way it is when seeing tons of connections from the same udp ip/port come
in.

thanks again
adam

On Tue, 2004-12-14 at 12:10, Jan Engelhardt wrote:
> >any firewall must keep some sort of state table even if it is udp. How
>
> No.
>
> >else do you manage established connections? It must know that some high
>
> You don't manage something that does not need managing. It's like firing a
> bullet at some. You can not tell whether there's still more bullets to come or
> not.
>
> >numbered port is making a udp dns request, and thus be able to allow
> >that request back thru to the high numbered port client b/c the
> >connection is already established.
>
> See linux-os's reply. UDP is connectionless.
>
> >what does any fireawall do if it sees one ip with the same high numbered
> >udp port make a request in a _very_ short amount of time (under 60ms for
> >this example)?
>
> I let it pass.
>
> >It must make a distintion between an attack and legit
> >traffic.
>
> That's something VERY different. There is a difference between **knowing**
> that a set of packets _are related_ to each other and the time between two
> **arbitrary** packets.
>
> > So if it sees one ip/port make multiple requests in too short
> >of a time frame, it will drop the traffic, as it probably should.
>
> Depends on the definition of attack. Look it at that way:
>
> localhost:32768 sends an UDP packet to dnsserver:53... but already the next
> packet CAN BE malicious. (Another process can take over the port if the former
> has dropped the socket.)
>
> >This
> >is causing erratic behavior when traffic traverses the firewall b/c the
>
> Then fix the FW.
>
> >linux kernel keeps allocating the same source high numbered ephemeral
>
> In your case, the socket is allocated once for the whole program. This socket
> is _reused_.
>
> >port. I would like to know if there is a way to alter this behavior b/c
> >it is breaking applications.
>
> No, as said, your FW is broken.
>
>
>
>
> Jan Engelhardt

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Previous message: Jan Engelhardt: "Re: how to add 32/64 compatible ioctls at runtime via module?"
• In reply to: Jan Engelhardt: "Re: bind() udp behavior 2.6.8.1"
• Next in thread: Jan Engelhardt: "Re: bind() udp behavior 2.6.8.1"
• Reply: Jan Engelhardt: "Re: bind() udp behavior 2.6.8.1"
• Reply: Wichert Akkerman: "Re: bind() udp behavior 2.6.8.1"
• Reply: Willy Tarreau: "Re: bind() udp behavior 2.6.8.1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: XP UDP packets ... router with UDP connections approximately every minute on port 1900. ... I applied the UPNP patch and even disabled the SSDP service, but these UDP ... > I have a 3com Internet Firewall and have recently installed XP ... (comp.security.firewalls) FTP Server Question ... I'm trying out the new Bullet Proof ftp server that allows passive ... connections and resolves external ip from within a firewall. ... I have forwarded through my firewall. ... enabled........is that what is requiring UDP? ... (comp.security.firewalls) IIS Outbound Ports ... The server is behind a firewall which only ... allows incoming connections on port 80 ... (TCP & UDP) ... If all outgoing ports, except port 80 (TCP ... (microsoft.public.inetserver.iis) firewall testing framework/parameters ... list on which a firewall would be tested. ... Sustained TCP connections, thoughput & number. ... Sustanied UDP connections (although UDP is ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Re: [fw-wiz] Firewall Primitives ... >of some sort. ... that firewall primitives should _all_ be connection-oriented. ... firewall should simulate connections to the best of its ability. ... I also suggest you consider firewall primitives should include ... (Firewall-Wizards)