Re: bind() udp behavior 2.6.8.1

[Jan Engelhardt]

>i am aware that UDP is connectionless.  However in terms of a firewall
>this is different.  It _must_ keep a state table of some sorts otherwise

must vs cannot.

>high port outbound connections destined for a DNS server will never be
>let back in b/c the firewall will just say "Why is this dns server
>making a udp connection to port 32768 on this client?".  Keeping a state
>table allows this behavior thru the firewall as it should.

no state for no connection.
if you want rate limiting, you can use iptables -m limit, or whatever your fw 
implements. Frankly, you can't distinguish DNS traffic from someone who 
hijacked your box by just looking at the packet's header. And your FW _has_ to 
account for the case that multiple, possibly "non-related" packets appear on 
the same source port.

>My issue is that linux is not randomizing or incrementing the ports it
>uses for udp connections to prevent this sort of issue since udp is
>connectionless.  We dont have sequence numbers or the sorts like TCP to

Works for me.

>sort this out, we only have source ip and port.

And the kernel keeps a rover. It's right here:

	grep udp_port_rover /usr/src/linux/net/ipv4/*.c

So whenever someone binds an udp socket to port 0, the kernel chooses 
something. And IF NOT (i.e port != 0 at the time you call bind), you gonna use 
THAT specific port.


Jan Engelhardt
-- 
ENOSPC
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/