Cisco IOS BVI ACL: Only allow established UDP
Posted
by
George Bailey
on Server Fault
See other posts from Server Fault
or by George Bailey
Published on 2011-01-05T13:40:24Z
Indexed on
2011/01/08
14:55 UTC
Read the original article
Hit count: 313
Related: Cisco IOS ACL: Don't permit incoming connections just because they are from port 80
I know we can use the established
keyword for TCP.. but what can we do for UDP (short of replacing a Bridge or BVI with a NAT)?
Answer
I found out what "UDP has no connection" means.
DNS uses UDP for example..
named
(DNS server) is lisenting on port 53nslookup
(DNS client) starts listening on some random port and sends a packet to port 53 of the server and notes the source port in that packet.nslookup
will retry 3 times if necessary. Also the packets are so small that it does not have to worry about them coming in the wrong order.- If
nslookup
receives a response on that port that comes from the servers IP and port then it stops listening. If the server tried to send two responses (for example a response and a response to the retry) then the server would not care if either of them made it because the client has the job to retry. In fact.. unless ICMP 3/3 packet gets through the server would not know about a failure. This is different from TCP where you get connection closed or timed out errors.
DNS allows for an easy retry from the client as well as small packets.. so UDP is an excellent choice because it is more efficient. In UDP you would see
nslookup
sends requestnamed
sends answer
In TCP you would see
nslookup
's machine sendsSYN
named
's machine sendsSYN-ACK
nslookup
's machine sendsACK
and the requestnamed
's machine sends the response
That is much more than is necessary for a tiny DNS packet
© Server Fault or respective owner