Firewall rules

Vernon Schryver
Mon Sep 13 13:35:16 UTC 2004

> From: Alex S Moore 

> My firewall rule (not ipchains or Cisco IOS), says the direction of udp
> packets is send-receive.  I can also define receive-send or both
> directions.  Does it sound reasonable that send-receive direction would
> not allow someone to bind to port 6277 and then connect to port 3306?

Unless your firewall is stateful and has been taught about the DCC
protocol, I don't see how to make that work.  The trouble is that
the following sequence is valid:

  DCC/UDP/IP request from local port 9402 to distant port 6277
  DCC/UDP/IP answer from distant port 6277 to local port 9402

but the following is questionable:

   arbitrary UDP packet from distant port 6277 to local port 9402

Unless your firewall is smart enough to know that a legitimate incoming
UDP packet from a distant port 6277 to a local port must always be
preceded by an outgoing packet from that same local port to port 6277
at that same distant IP address within 30 seconds, I don't see how to
address the worry.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.