Cisco IOS BVI ACL: Only allow established UDP
- by George Bailey
Related: Cisco IOS ACL: Don't permit incoming connections just because they are from port 80
I know we can use the established keyword for TCP.. but what can we do for UDP (short of replacing a Bridge or BVI with a NAT)?
Answer
I found out what "UDP has no connection" means.
DNS uses UDP for example..
named (DNS server) is lisenting on port 53
nslookup (DNS client) starts listening on some random port and sends a packet to port 53 of the server and notes the source port in that packet.
nslookup will retry 3 times if necessary. Also the packets are so small that it does not have to worry about them coming in the wrong order.
If nslookup receives a response on that port that comes from the servers IP and port then it stops listening. If the server tried to send two responses (for example a response and a response to the retry) then the server would not care if either of them made it because the client has the job to retry. In fact.. unless ICMP 3/3 packet gets through the server would not know about a failure. This is different from TCP where you get connection closed or timed out errors.
DNS allows for an easy retry from the client as well as small packets.. so UDP is an excellent choice because it is more efficient. In UDP you would see
nslookup sends request
named sends answer
In TCP you would see
nslookup's machine sends SYN
named's machine sends SYN-ACK
nslookup's machine sends ACK and the request
named's machine sends the response
That is much more than is necessary for a tiny DNS packet
