The UDP service object is a generalization of the UDP protocol, which is a connectionless transport layer protocol. Many well-known applications use UDP as their transport, such as DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), NTP (Network Time Protocol), and SNMP (Simple Network Management Protocol).
As in TCP, UDP uses port numbers to distinguish applications from one another. The UDP packet header carries two port numbers: the source port and the destination port. The UDP service object in Firewall Builder allows for a definition of ranges for both the source and the destination ports. The meaning of values assigned to the start and end of the range is the same as in the TCP service object: ranges are inclusive, that is, both start and end ports of the range are included. Using "0" for both the start and end of the range means "any port". These rules work for both the source and destination ranges. The following screenshot shows the "dns" UDP Service object that represents the Domain Name System protocol, which uses destination port 53.
Objects in the Standard set of service objects are not editable. However, you can copy and paste a copy of a service object into the User tree and edit it there, or you can right-click the ICMP folder in the User tree and select New ICMP Service to create a service object from scratch.
The UDP Service dialog provides the following controls:
Name: This is the name of the object
The Source port range: These two controls define the start and the end of the source port range. They accept values 0 through 65535.
The Destination port range: These two controls define the start and the end of the destination port range. They accept values 0 through 65535.
Comments: This is a free-style text field used for comments.
In this example we'll use the UDP service object "domain" shown on screenshot above. The rule looks like this:
Here is iptables command generated for this rule:
# Rule 0 (global) # $IPTABLES -A FORWARD -i + -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
This rule got a "-i +" clause because direction was set to Inbound but "Interface" column was left empty. To enforce inbound direction compiler uses "-i" option but since interface was not specified, the rule got attached to all interfaces which is defined by the +.
Here is the generated PF 4.x configuration:
# Rule 0 (global) # pass in quick inet proto udp from any to any port 53
In the pf configuration, direction is defined by the "in" keyword, and since no interface was requested, there is no "on <interface>".
The generated Cisco access list statement is quite trivial:
ip access-list extended fe0_0_in ! ! Rule 0 (global) ! permit udp any any eq 53 ! exit
The following UDP service object defines source port range of the ports with values greater than or equal to 1024:
Using this object in policy rule yields the following code for iptables:
# Rule 0 (global) # $IPTABLES -A FORWARD -i + -p udp -m udp --sport 1024:65535 -m state \ --state NEW -j ACCEPT
And for PF:
# Rule 0 (global) # # pass in quick inet proto udp from any port >= 1024 to any
The Cisco access list statement:
ip access-list extended e1_0_in ! ! Rule 0 (global) ! permit udp any gt 1024 any ! exit
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.