Re: bind() udp behavior 2.6.8.1

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Adam Denenberg <adam@dberg.org>
To: Jan Engelhardt <jengelh@linux01.gwdg.de>
Cc: linux-kernel@vger.kernel.org
Subject: Re: bind() udp behavior 2.6.8.1
Date: Tue, 14 Dec 2004 12:01:56 -0500	[thread overview]
Message-ID: <1103043716.10965.40.camel@sucka> (raw)
In-Reply-To: <Pine.LNX.4.61.0412141742590.22148@yvahk01.tjqt.qr>

any firewall must keep some sort of state table even if it is udp.  How
else do you manage established connections?  It must know that some high
numbered port is making a udp dns request, and thus be able to allow
that request back thru to the high numbered port client b/c the
connection is already established.

what does any fireawall do if it sees one ip with the same high numbered
udp port make a request in a _very_ short amount of time (under 60ms for
this example)?  It must make a distintion between an attack and legit
traffic.  So if it sees one ip/port make multiple requests in too short
of a time frame, it will drop the traffic, as it probably should.  This
is causing erratic behavior when traffic traverses the firewall b/c the
linux kernel keeps allocating the same source high numbered ephemeral
port.  I would like to know if there is a way to alter this behavior b/c
it is breaking applications.

thanks
adam

please CC me as I am not on this list.

On Tue, 2004-12-14 at 11:44, Jan Engelhardt wrote:
> >sorry "closed" was the wrong term here.  We are using a PIX Firewall
> >Module and it keeps a state table of all connections (tcp and udp). 
> >Thus when a new udp connection comes in with same high numbered source
> 
> UDP does not know connections. As such, _nobody_ can tell whether an UDP 
> packet belongs to a logically existing "connection" or not.
> 
> >port and the firewall has not removed that connection from its state
> >table, the firewall drops the packet.  The firewall needs about 60ms in
> >order to clear that connection from the state table, so if a second udp
> >request with the same high number port/ip comes thru before the firewall
> >clears the connection from the state table, it will drop the connection
> >(which is what we are seeing).
> >
> >FreeBSD seems to increment future udp requests which prevents this
> >problem.  It just seems strange that the kernel would not randomize or
> >increment these source ports for udp requests.
> 
> The kernel does not have problems with UDP, it's probably your firewall.
>

next prev parent reply	other threads:[~2004-12-14 17:06 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-14 15:38 bind() udp behavior 2.6.8.1 Adam Denenberg
2004-12-14 16:04 ` Jan Engelhardt
2004-12-14 16:42   ` Adam Denenberg
2004-12-14 16:44     ` Jan Engelhardt
2004-12-14 17:01       ` Adam Denenberg [this message]
2004-12-14 17:10         ` Jan Engelhardt
2004-12-14 17:38           ` Adam Denenberg
2004-12-14 17:49             ` Jan Engelhardt
2004-12-15  0:43             ` Wichert Akkerman
2004-12-16  5:49             ` Willy Tarreau
2004-12-14 22:07         ` Kyle Moffett
2004-12-15  2:23           ` Adam Denenberg
2004-12-15  3:19             ` Kyle Moffett
2004-12-15 14:16               ` Adam Denenberg
2004-12-15 19:07                 ` Jan Harkes
2004-12-15 19:22                   ` Adam Denenberg
2004-12-15 20:06                     ` linux-os
2004-12-15 20:19                       ` Adam Denenberg
2004-12-15 20:45                         ` Doug McNaught
2004-12-15 20:48                           ` Adam Denenberg
2004-12-15 20:57                             ` Doug McNaught
2004-12-16  6:10                     ` Willy Tarreau
2004-12-16 14:24                   ` Adam Denenberg
2004-12-16 14:51                     ` Jan Harkes
2004-12-16 15:00                       ` Adam Denenberg
2004-12-16  6:03             ` Willy Tarreau
2004-12-16 14:17               ` Adam Denenberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1103043716.10965.40.camel@sucka \
    --to=adam@dberg.org \
    --cc=jengelh@linux01.gwdg.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox