Samba help

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Sat Jan 10 03:48:45 UTC 2004 

Am Sa, den 10.01.2004 schrieb Bevan C. Bennett um 02:22:
> Alexander Dalloz wrote:
> 
> > Just for the archives: though it is seen so often - just google for
> > iptables scripts and you will find it - to use rules for protocol type
> > UDP with -m state makes no sense. UDP is, in opposition to TCP, a
> > stateless protocoll and this way does not know anything about NEW or
> > ESTABLISHED or what else.

Hi Bevan!

> Untrue!
> Well, untrue that using -m state makes no sense with udp.
> 
> It's completely true that UDP is a 'stateless' protocol, but 
> netfilter/iptables tracks your UDP traffic and assigns state to it.
> 
> See also the following wonderful reference for much more detail:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#STATEMACHINE

>From close reading - you are right!

"UDP connections are in them selves not stateful connections, but rather
stateless. There are several reasons why, mainly because they don't
contain any connection establishment or connection closing; most of all
they lack sequencing. Receiving two UDP datagrams in a specific order
does not say anything about which order in which they where sent. It is,
however, still possible to set states on the connections within the
kernel."

> As a concrete example, I turned off firewall_mods for ntp (a udp based 
> protocol) and restarted with an ntp.conf file of only "server 
> servername". The client -does- recieve the return udp packets, which 
> means that they must be considered 'ESTABLISHED' by iptables (no other 
> rule could match them).
> 
> 17:20:34.273828 wallace.ntp > verdandi.internal.avlsi.com.ntp: [udp sum 
> ok]  v4
> client strat 0 poll 6 prec -16 dist 0.000000 disp 0.002944 ref 
> (unspec)@0.000000000 orig 3282686371.280867010 rec -0.006823999 xmt 
> +62.992918014 (DF) [tos 0x10]  (ttl 64, id 0, len 76)
> 
> 17:20:34.273992 verdandi.internal.avlsi.com.ntp > wallace.ntp: [udp sum 
> ok]  v4
> server strat 2 poll 6 prec -17 dist 0.005920 disp 0.057449 ref 
> montpelier.ilan.caltech.edu at 3282685794.723586976 orig 
> 3282686434.273784995 rec +0.010362999 xmt +0.010373000 (DF) [tos 0x10] 
> (ttl 64, id 0, len 76)

So it's worth to read the documents better.

Thanks Bevan.

Alexander


-- 
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416  14CD E197 6E88 ED69 5653

More information about the fedora-list mailing list