UDP Services

SunScreen contains several state engines to handle UDP protocols:

• udp - Provides stateful UDP packet filtering. Allows a single request-and-response exchange between source and destination. State entries time out in 20 seconds if no response is received.

• udpall - Identical to udp. It is useful for avoiding conflicts while defining service groups containing many services.

• udp_datagram - Passes UDP packets from source to destination. You can specify that broadcast packets should be passed.

• udp_stateless - Allows UDP packets to be sent between source and destination. The UDP Port(s) field specifies the list of destination UDP ports that are allowed. The source UDP port must be a unreserved port. Note that this is a two-way exchange of UDP packets.

Because some services use unreserved port numbers, use of this state engine can open up security holes. Its use is not recommended.

For all UDP engines, you define a new service entry specifying the well-known destination, UDP port. Specifying port * passes all UDP traffic.