5.3.4. UDP Service

The UDP service object is a generalization of the UDP protocol, which is a connectionless transport layer protocol. Many well-known applications use UDP as their transport, such as DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), NTP (Network Time Protocol), and SNMP (Simple Network Management Protocol).

As in TCP, UDP uses port numbers to distinguish applications from one another. The UDP packet header carries two port numbers: the source port and the destination port. The UDP service object in Firewall Builder allows for a definition of ranges for both the source and the destination ports. The meaning of values assigned to the start and end of the range is the same as in the TCP service object: ranges are inclusive, that is, both start and end ports of the range are included. Using "0" for both the start and end of the range means "any port". These rules work for both the source and destination ranges. The following screenshot shows the "dns" UDP Service object that represents the Domain Name System protocol, which uses destination port 53.

Figure 5.117. 


Objects in the Standard set of service objects are not editable. However, you can copy and paste a copy of a service object into the User tree and edit it there, or you can right-click the ICMP folder in the User tree and select New ICMP Service to create a service object from scratch.

The UDP Service dialog provides the following controls:

  • Name: This is the name of the object

  • The Source port range: These two controls define the start and the end of the source port range. They accept values 0 through 65535.

  • The Destination port range: These two controls define the start and the end of the destination port range. They accept values 0 through 65535.

  • Comments: This is a free-style text field used for comments.

5.3.4.1. Using UDP Service in Rules

5.3.4.1.1. Single Destination UDP port

In this example we'll use the UDP service object "domain" shown on screenshot above. The rule looks like this:

Figure 5.118. 


Here is iptables command generated for this rule:


# Rule 0 (global)
# 
$IPTABLES -A FORWARD  -i + -p udp -m udp  --dport 53  -m state --state NEW  -j ACCEPT 

              

This rule got a "-i +" clause because direction was set to Inbound but "Interface" column was left empty. To enforce inbound direction compiler uses "-i" option but since interface was not specified, the rule got attached to all interfaces which is defined by the +.

Here is the generated PF 4.x configuration:


# Rule  0 (global)
# 
pass in   quick inet proto udp  from any  to any port 53

              

In the pf configuration, direction is defined by the "in" keyword, and since no interface was requested, there is no "on <interface>".

The generated Cisco access list statement is quite trivial:


ip access-list extended fe0_0_in
! 
! Rule  0 (global)
! 
  permit udp any  any  eq 53 
! 
exit
              
5.3.4.1.2. Source Port Range

The following UDP service object defines source port range of the ports with values greater than or equal to 1024:

Figure 5.119. 


Using this object in policy rule yields the following code for iptables:

# Rule 0 (global)
# 
$IPTABLES -A FORWARD  -i + -p udp -m udp  --sport 1024:65535  -m state \
--state NEW  -j ACCEPT 

              

And for PF:


# Rule  0 (global)
# 
# 
pass in   quick inet proto udp  from any port >= 1024  to any

              

The Cisco access list statement:


ip access-list extended e1_0_in
! 
! Rule  0 (global)
! 
  permit udp any  gt 1024 any  
!
exit
              
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.