Samba help
Bevan C. Bennett
bevan at fulcrummicro.com
Sat Jan 10 01:22:03 UTC 2004
Alexander Dalloz wrote:
> Just for the archives: though it is seen so often - just google for
> iptables scripts and you will find it - to use rules for protocol type
> UDP with -m state makes no sense. UDP is, in opposition to TCP, a
> stateless protocoll and this way does not know anything about NEW or
> ESTABLISHED or what else.
Untrue!
Well, untrue that using -m state makes no sense with udp.
It's completely true that UDP is a 'stateless' protocol, but
netfilter/iptables tracks your UDP traffic and assigns state to it.
See also the following wonderful reference for much more detail:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#STATEMACHINE
As a concrete example, I turned off firewall_mods for ntp (a udp based
protocol) and restarted with an ntp.conf file of only "server
servername". The client -does- recieve the return udp packets, which
means that they must be considered 'ESTABLISHED' by iptables (no other
rule could match them).
17:20:34.273828 wallace.ntp > verdandi.internal.avlsi.com.ntp: [udp sum
ok] v4
client strat 0 poll 6 prec -16 dist 0.000000 disp 0.002944 ref
(unspec)@0.000000000 orig 3282686371.280867010 rec -0.006823999 xmt
+62.992918014 (DF) [tos 0x10] (ttl 64, id 0, len 76)
17:20:34.273992 verdandi.internal.avlsi.com.ntp > wallace.ntp: [udp sum
ok] v4
server strat 2 poll 6 prec -17 dist 0.005920 disp 0.057449 ref
montpelier.ilan.caltech.edu at 3282685794.723586976 orig
3282686434.273784995 rec +0.010362999 xmt +0.010373000 (DF) [tos 0x10]
(ttl 64, id 0, len 76)
More information about the fedora-list
mailing list