How iptables know when an UDP connection is closed ?

How iptables know when an UDP connection is closed ?

[Eddahbi Karim]

Hi,

The question is in the topic, how iptables knows that a UDP connection
is CLOSED ?
Does the connection close only when there's a Timeout ?

-- 
-- 
Eddahbi Karim

Phone :
(33) (0)6 61 30 57 77

France

RE: How iptables know when an UDP connection is closed ?

[Mark E. Donaldson]

Correct.  The UDP state machine is based on "timers". 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Eddahbi Karim
Sent: Thursday, December 25, 2003 7:15 AM
To: netfilter@lists.netfilter.org
Subject: How iptables know when an UDP connection is closed ?

Hi,

The question is in the topic, how iptables knows that a UDP connection is
CLOSED ?
Does the connection close only when there's a Timeout ?

--
--
Eddahbi Karim

Phone :
(33) (0)6 61 30 57 77

France

RE: How iptables know when an UDP connection is closed ?

[Eddahbi Karim]

Le jeu 25/12/2003 à 20:27, Mark E. Donaldson a écrit :
> Correct.  The UDP state machine is based on "timers". 

Ok, so I've another question.
Can Iptables make a difference between packets of the real application
and a packet generator ?

For example :

X communicates with Y with the application Mooh-1.0 which sends UDP
packets via the port 789 and receives packets from the port 987.

Then Z sends UDP packets to X with a packet generator. The UDP packets
sended have the same dport and sport.

Can Iptables make a difference between "Mooh-1.0" and the packet
generator to avoid flood ?

-- 
-- 
Eddahbi Karim

Phone :
(33) (0)6 61 30 57 77

France

RE: How iptables know when an UDP connection is closed ?

[Mark E. Donaldson]

Netfilter/IPTables works at layers three & four of the OSI model - not at
layer seven.  So, if I understand your question correctly, the answer would
be NO, because it knows nothing about what is happening above layer four.
However, if you have an application that is programmed to always use the
same use the same source & destination ports for it's socket channels, then
this could be defined as such within an iptables rule as an application an
handled accordingly. It would not be able to distinguish them from similar
crafted packets though.  Having said that, the "limit match is available to
handle packet "flooding" as you describe it here. Basically, you have
entered the realm of what an IDS/IPS, such as Snort, do best.  A Snort
preprocessor could well handle this activity.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Eddahbi Karim
Sent: Friday, December 26, 2003 10:39 AM
To: netfilter@lists.netfilter.org
Subject: RE: How iptables know when an UDP connection is closed ?

Le jeu 25/12/2003 à 20:27, Mark E. Donaldson a écrit :
> Correct.  The UDP state machine is based on "timers". 

Ok, so I've another question.
Can Iptables make a difference between packets of the real application and a
packet generator ?

For example :

X communicates with Y with the application Mooh-1.0 which sends UDP packets
via the port 789 and receives packets from the port 987.

Then Z sends UDP packets to X with a packet generator. The UDP packets
sended have the same dport and sport.

Can Iptables make a difference between "Mooh-1.0" and the packet generator
to avoid flood ?

--
--
Eddahbi Karim

Phone :
(33) (0)6 61 30 57 77

France

Re: How iptables know when an UDP connection is closed ?

[Tom Marshall]

[-- Attachment #1: Type: text/plain, Size: 2470 bytes --]

Some protocols do know when packets should no longer be sent on associated
"connections".  Take RTSP or SIP for example -- a UDP connection is created
and destroyed via the control channel.  The conntrack helper could remove
the UDP connection when the appropriate message is seen (TEARDOWN or BYE). 
Is there a way to do this?

On Fri, Dec 26, 2003 at 01:41:29PM -0800, Mark E. Donaldson wrote:
> Netfilter/IPTables works at layers three & four of the OSI model - not at
> layer seven.  So, if I understand your question correctly, the answer would
> be NO, because it knows nothing about what is happening above layer four.
> However, if you have an application that is programmed to always use the
> same use the same source & destination ports for it's socket channels, then
> this could be defined as such within an iptables rule as an application an
> handled accordingly. It would not be able to distinguish them from similar
> crafted packets though.  Having said that, the "limit match is available to
> handle packet "flooding" as you describe it here. Basically, you have
> entered the realm of what an IDS/IPS, such as Snort, do best.  A Snort
> preprocessor could well handle this activity.
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Eddahbi Karim
> Sent: Friday, December 26, 2003 10:39 AM
> To: netfilter@lists.netfilter.org
> Subject: RE: How iptables know when an UDP connection is closed ?
> 
> Le jeu 25/12/2003 à 20:27, Mark E. Donaldson a écrit :
> > Correct.  The UDP state machine is based on "timers". 
> 
> Ok, so I've another question.
> Can Iptables make a difference between packets of the real application and a
> packet generator ?
> 
> For example :
> 
> X communicates with Y with the application Mooh-1.0 which sends UDP packets
> via the port 789 and receives packets from the port 987.
> 
> Then Z sends UDP packets to X with a packet generator. The UDP packets
> sended have the same dport and sport.
> 
> Can Iptables make a difference between "Mooh-1.0" and the packet generator
> to avoid flood ?
> 
> --
> --
> Eddahbi Karim
> 
> Phone :
> (33) (0)6 61 30 57 77
> 
> France
> 
> 
> 

-- 
There are three principal ways to lose money: wine, women, and engineers.
While the first two are more pleasant, the third is by far the more certain.
        -- Baron Rothschild, ca. 1800

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]