[svlug] kernel masquarading with stateful UDP?

[Marc MERLIN]

On 4 Nov 1998 03:55:48 -0800, Ira Abramov <ira at scso.com> wrote:
>central server, but I was always told that statefull UDP for firewalling
>was never implemented (well, maybe in the latest 2.1.x kernels, which my
>firewall is not using right now, I like my 186 day uptime :-)

The way  udp masquerading works is  that when one of  your internal machines
sends a packet, the firewall remembers the port mapping for a certain amount
of time (not sure what the default is, but I set mine to 2mn).
If you send a udp request, and get the answer within that window, it will be
routed back to you. If not, it will get dropped.

You can set the timeout like this:

#		tcp	tcpfin	udp
ipfwadm -M -s	86400	60	120

I haven't really looked  at ICQ, but login in the ICQ  server will work, but
if someone sends  you a message and the ICQ  server _initiates_ a connection
with you  through UDP, the  packet won't reach  you, unless you  happened to
send a UDP packet  to the server in the last  timeout seconds (timeout being
120 secs in the example above).

I can  tell you is that  the basic masquerading mechanism  hasn't changed in
2.1.x

To get a  better answer, you'd need  someone who knows how  the ICQ protocol
functions  exactly. The linux  masquerade mailing  list would  be a  perfect
place for this.

Marc
-- 
"Microsoft is to software what McDonalds is to gourmet cooking"
 
Home page: http://marc.merlins.org/ (friendly to non IE browsers)
Finger marc at merlins.org for PGP key and other contact information

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe