These protocols have their own headers, as well as the IP header that the firewall can use to maintain state. The difference between them and TCP is that these protocols are connectionless. Thus, the firewall does not know when the connection has closed. The typical solution to this is to have an arbitrary (often user configurable) timer that allows the firewall to remove old connections from the firewall's state table. A similar process also occurs with TCP, albeit with a much longer timeout, because of the possibility of connections not being closed correctly. --Blake -------- Original Message -------- Subject: how statefull firewall works for udp? From: Tarig Ahmed <tariq198487@hotmail.com> To: nanog@nanog.org list <nanog@nanog.org>, African Network Operators <afnog@afnog.org> Date: Friday, January 21, 2011 12:39:51 PM
Dear All Hi
Default configuration for statefull firewall is to allow traffic form TRUST ZONE to UNTRUST ZONE.
As I Know those device will use some feilds in the TCP Header.
But, how the firewall will handle this policy for none TCP traffics (udp, icmp, and IPsec)?
I think understanding this will help me in the designing.
Thanks