Cisco IOS BVI ACL: Only allow established UDP

Posted by George Bailey on Server Fault See other posts from Server Fault or by George Bailey
Published on 2011-01-05T13:40:24Z Indexed on 2011/01/08 14:55 UTC
Read the original article Hit count: 313

Filed under:
|
|
|

Related: Cisco IOS ACL: Don't permit incoming connections just because they are from port 80

I know we can use the established keyword for TCP.. but what can we do for UDP (short of replacing a Bridge or BVI with a NAT)?

Answer

I found out what "UDP has no connection" means.

DNS uses UDP for example..

  1. named (DNS server) is lisenting on port 53
  2. nslookup (DNS client) starts listening on some random port and sends a packet to port 53 of the server and notes the source port in that packet.
  3. nslookup will retry 3 times if necessary. Also the packets are so small that it does not have to worry about them coming in the wrong order.
  4. If nslookup receives a response on that port that comes from the servers IP and port then it stops listening. If the server tried to send two responses (for example a response and a response to the retry) then the server would not care if either of them made it because the client has the job to retry. In fact.. unless ICMP 3/3 packet gets through the server would not know about a failure. This is different from TCP where you get connection closed or timed out errors.

DNS allows for an easy retry from the client as well as small packets.. so UDP is an excellent choice because it is more efficient. In UDP you would see

  1. nslookup sends request
  2. named sends answer

In TCP you would see

  1. nslookup's machine sends SYN
  2. named's machine sends SYN-ACK
  3. nslookup's machine sends ACK and the request
  4. named's machine sends the response

That is much more than is necessary for a tiny DNS packet

© Server Fault or respective owner

Related posts about cisco

Related posts about acl