Am Fri, 02 May 2008 12:37:18 +0000 schrieb Andrew Gideon:

> On Fri, 02 May 2008 07:10:34 +0000, Burkhard Ott wrote:
>
>> UDP is stateless (http://www.faqs.org/rfcs/rfc768.html)
>
> This doesn't mean that a stateful protocol cannot be built over UDP. DNS
> has "responses". Therefore, it has state.

No, it doesn't you surely mean a session in the firewall/filter.
You can't mix a stateless protocoll with a stateful.
(but you could encapsulate it)

Many stateful firewalls are able to track the state of flows in
connectionless protocols, like UDP.
Such sessions usually get the ESTABLISHED state immediately after the
first packet is seen by the firewall.
Sessions in connectionless protocols can only end by time-out, because
there is no flag where you could see that ist the last packet.
It ist not part of an protocoll.

By keeping track of the connection state, stateful firewalls provide added
efficiency in terms of packet inspection.
This is because for existing connections the firewall need only check the
state table, instead of checking the packet against the firewall's rule
set, which can be extensive.

cheers