Project

General

Profile

Bug #1635

timeout setting on firewall rules does not work for UDP

Added by Adam Gundy about 8 years ago. Updated about 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/02/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

the 'state timeout' firewall rule setting (under 'advanced options') has no effect on UDP connections. that's because it only applies the 'tcp.established' setting to the firewall rule. it should also apply 'udp.multiple'.

the code in question is /etc/inc/filter.inc, line 1959. instead of 'tcp.established NNN' is should add 'tcp.established NNN, udp.multiple NNN'

History

#1 Updated by Evgeny Yurchenko about 8 years ago

Now if I configure this option through gui for different types of traffic I get this:
pass in quick on em0 inet from 1.1.1.1 to any flags S/SA keep state (tcp.established 10) label "USER_RULE"
pass in quick on em0 inet proto udp from 1.1.1.1 to any keep state (tcp.established 10) label "USER_RULE"
pass in quick on em0 inet proto tcp from 1.1.1.1 to any flags S/SA keep state (tcp.established 10) label "USER_RULE"

Are we sure that the next would be better (I am not sure about syntax):
pass in quick on em0 inet from 1.1.1.1 to any flags S/SA keep state (tcp.established 10, udp.multiple 10) label "USER_RULE"
pass in quick on em0 inet proto udp from 1.1.1.1 to any keep state (udp.multiple 10) label "USER_RULE"
pass in quick on em0 inet proto tcp from 1.1.1.1 to any flags S/SA keep state (tcp.established 10) label "USER_RULE"

#2 Updated by Adam Gundy about 8 years ago

I'd assume that the 'udp' timeout is ignored for non-UDP traffic, in the same way as the 'tcp' timeout is ignored for non-TCP traffic, so it should be safe to simply apply both. no need to get clever in the rule writing code..

Also available in: Atom PDF