Re: [IPCop-devel] Re[4]: [IPCop-user] DNS on Orange Confusion

On Friday 28 June 2002 23:57, Eric S. Johansson wrote:
> On Fri, 28 Jun 2002 21:36:55 -0400 Phil Barnett <ph...@ph...> wrote:
>
> PB>
> PB> Good question!
> PB>
> PB> Is there a reason why udp is not open for replies from orange to gr=
een,
> PB> like tcp is?
>
> because the firewall isn't stateful.  UDP packets don't have "replies"
> in the same way that TCP does.  we will need to move to 2.4 in order
> to have what you want.
>
> if you leave the firewall open for "replies" from UDP requests, it's
> open to everyone.  When I created the basic structure for DMZ pinholes
> etc., I discover that I could port scan through the firewall using
> nmap -sU and tell what machines were running what UDP services.
> That's when I locked down UDP returns.

I guess that would pretty much cover it.

Do we need to reiterate this on the user list?