UDP packet and firewall
up vote
1
down vote
favorite
I notice when I send udp packets from computer A to computer B,
B can receive the upd packets correctly
but if I send udp packets from computer B to computer A
the udp packets are not received
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
does this mean there is a firewall in between which prevents A from receiving udp packets from B? if A sends some udp packets to B before B sends udp packets to A, will the firewall remember this and then allow the udp packets from B to A ?
I know TCP is stateful and so firewall have a lot of measures to block some malicious TCP packets, like TCP SYN flooding, but how firewall block UDP packets? are there any good articles about this?
because A is my computer in a office. I want to build a system so that a UDP program on A can receive packets from outside. But it seems the firewall filters all the incoming udp packets. I'm wondering, if I use a commercial UDP-based program, like UDP-based video streaming tool or website, can I watch videos?
thanks
networking security firewall iptables udp
asked Mar 28 '13 at 10:38
user1944267
10614
add a comment |
up vote
1
down vote
favorite
I notice when I send udp packets from computer A to computer B,
B can receive the upd packets correctly
but if I send udp packets from computer B to computer A
the udp packets are not received
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
does this mean there is a firewall in between which prevents A from receiving udp packets from B? if A sends some udp packets to B before B sends udp packets to A, will the firewall remember this and then allow the udp packets from B to A ?
I know TCP is stateful and so firewall have a lot of measures to block some malicious TCP packets, like TCP SYN flooding, but how firewall block UDP packets? are there any good articles about this?
because A is my computer in a office. I want to build a system so that a UDP program on A can receive packets from outside. But it seems the firewall filters all the incoming udp packets. I'm wondering, if I use a commercial UDP-based program, like UDP-based video streaming tool or website, can I watch videos?
thanks
networking security firewall iptables udp
asked Mar 28 '13 at 10:38
user1944267
10614
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I notice when I send udp packets from computer A to computer B,
B can receive the upd packets correctly
but if I send udp packets from computer B to computer A
the udp packets are not received
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
does this mean there is a firewall in between which prevents A from receiving udp packets from B? if A sends some udp packets to B before B sends udp packets to A, will the firewall remember this and then allow the udp packets from B to A ?
I know TCP is stateful and so firewall have a lot of measures to block some malicious TCP packets, like TCP SYN flooding, but how firewall block UDP packets? are there any good articles about this?
because A is my computer in a office. I want to build a system so that a UDP program on A can receive packets from outside. But it seems the firewall filters all the incoming udp packets. I'm wondering, if I use a commercial UDP-based program, like UDP-based video streaming tool or website, can I watch videos?
thanks
networking security firewall iptables udp
asked Mar 28 '13 at 10:38
user1944267
10614
I notice when I send udp packets from computer A to computer B,
B can receive the upd packets correctly
but if I send udp packets from computer B to computer A
the udp packets are not received
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
does this mean there is a firewall in between which prevents A from receiving udp packets from B? if A sends some udp packets to B before B sends udp packets to A, will the firewall remember this and then allow the udp packets from B to A ?
I know TCP is stateful and so firewall have a lot of measures to block some malicious TCP packets, like TCP SYN flooding, but how firewall block UDP packets? are there any good articles about this?
because A is my computer in a office. I want to build a system so that a UDP program on A can receive packets from outside. But it seems the firewall filters all the incoming udp packets. I'm wondering, if I use a commercial UDP-based program, like UDP-based video streaming tool or website, can I watch videos?
thanks
networking security firewall iptables udp
networking security firewall iptables udp
asked Mar 28 '13 at 10:38
user1944267
10614
asked Mar 28 '13 at 10:38
user1944267
10614
edited Mar 28 '13 at 11:42
asked Mar 28 '13 at 10:38
user1944267
10614
asked Mar 28 '13 at 10:38
user1944267
10614
asked Mar 28 '13 at 10:38
user1944267
10614
10614
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
up vote
0
down vote
Sounds like computer B is behind a NAT router. If this is true, then every machine behind that router will look like it has the same IP address from computer A's point of view.
When NAT is involved, outgoing traffic causes the NAT router to remember the originator of that traffic for that destination IP for a while, so that when traffic is received from that same destination IP address, the NAT router knows who to "give the traffic back to."
When the NAT router receives unexpected traffic from the "outside", it doesn't know who to "give the traffic back to" unless you tell it with port forwarding rules.
NAT isn't really concerned with the type of traffic, except that some protocols don't work well with NAT by default because IP addresses are coded into the payload of the protocols. NAT typically only modifies the source IP field of packets, but in the case of things like FTP a "helper" may be needed that modifies the actual payload of the packet.
A firewall can "block" a packet, of any type by:
- sending an ICMP message back saying the packet is rejected for a specific reason
- simply not responding at all
- then there's hacky stuff like tarpits.
The only way "statefulness" affects that is that a firewall is going to usually treat new TCP connections very differently from existing ones - there will be "new" and "established" traffic.
UDP by definition is NOT a connection-oriented protocol, so there is no state to keep track of as far as OSI layers 2-4 are concerned. All incoming UDP connections are treated as "new" or the same.
The server or client that uses UDP to communicate may keep track of some state (a teensy bit of state is needed for things like TFTP to work - the TFTP client/server keep track of that on their own). But the TCP/IP stack isn't supposed to.
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
add a comment |
up vote
0
down vote
Possible reasons are (1) firewalls (2) wrong routing information (3) NAT somewhere on the path, even if you don't know about it.
Debug the network with traceroute and ping from both sides, see what is in between both computers, and see where the block is.
(As the question is 5 years old, it's unlikely to get more details...)
answered Aug 30 at 6:25
dirkt
8,92731121
add a comment |
up vote
0
down vote
Just go into both firewalls or advanced firewall settings and create a rule for incoming/outgoing UDP with specific machine info or ips. Can also access via PS but I recommend going directly to the MMC or firewall.
answered Sep 30 at 20:03
Rebellia Rose
11
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
Sounds like computer B is behind a NAT router. If this is true, then every machine behind that router will look like it has the same IP address from computer A's point of view.
When NAT is involved, outgoing traffic causes the NAT router to remember the originator of that traffic for that destination IP for a while, so that when traffic is received from that same destination IP address, the NAT router knows who to "give the traffic back to."
When the NAT router receives unexpected traffic from the "outside", it doesn't know who to "give the traffic back to" unless you tell it with port forwarding rules.
NAT isn't really concerned with the type of traffic, except that some protocols don't work well with NAT by default because IP addresses are coded into the payload of the protocols. NAT typically only modifies the source IP field of packets, but in the case of things like FTP a "helper" may be needed that modifies the actual payload of the packet.
A firewall can "block" a packet, of any type by:
- sending an ICMP message back saying the packet is rejected for a specific reason
- simply not responding at all
- then there's hacky stuff like tarpits.
The only way "statefulness" affects that is that a firewall is going to usually treat new TCP connections very differently from existing ones - there will be "new" and "established" traffic.
UDP by definition is NOT a connection-oriented protocol, so there is no state to keep track of as far as OSI layers 2-4 are concerned. All incoming UDP connections are treated as "new" or the same.
The server or client that uses UDP to communicate may keep track of some state (a teensy bit of state is needed for things like TFTP to work - the TFTP client/server keep track of that on their own). But the TCP/IP stack isn't supposed to.
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
add a comment |
up vote
0
down vote
Sounds like computer B is behind a NAT router. If this is true, then every machine behind that router will look like it has the same IP address from computer A's point of view.
When NAT is involved, outgoing traffic causes the NAT router to remember the originator of that traffic for that destination IP for a while, so that when traffic is received from that same destination IP address, the NAT router knows who to "give the traffic back to."
When the NAT router receives unexpected traffic from the "outside", it doesn't know who to "give the traffic back to" unless you tell it with port forwarding rules.
NAT isn't really concerned with the type of traffic, except that some protocols don't work well with NAT by default because IP addresses are coded into the payload of the protocols. NAT typically only modifies the source IP field of packets, but in the case of things like FTP a "helper" may be needed that modifies the actual payload of the packet.
A firewall can "block" a packet, of any type by:
- sending an ICMP message back saying the packet is rejected for a specific reason
- simply not responding at all
- then there's hacky stuff like tarpits.
The only way "statefulness" affects that is that a firewall is going to usually treat new TCP connections very differently from existing ones - there will be "new" and "established" traffic.
UDP by definition is NOT a connection-oriented protocol, so there is no state to keep track of as far as OSI layers 2-4 are concerned. All incoming UDP connections are treated as "new" or the same.
The server or client that uses UDP to communicate may keep track of some state (a teensy bit of state is needed for things like TFTP to work - the TFTP client/server keep track of that on their own). But the TCP/IP stack isn't supposed to.
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
add a comment |
up vote
0
down vote
up vote
0
down vote
Sounds like computer B is behind a NAT router. If this is true, then every machine behind that router will look like it has the same IP address from computer A's point of view.
When NAT is involved, outgoing traffic causes the NAT router to remember the originator of that traffic for that destination IP for a while, so that when traffic is received from that same destination IP address, the NAT router knows who to "give the traffic back to."
When the NAT router receives unexpected traffic from the "outside", it doesn't know who to "give the traffic back to" unless you tell it with port forwarding rules.
NAT isn't really concerned with the type of traffic, except that some protocols don't work well with NAT by default because IP addresses are coded into the payload of the protocols. NAT typically only modifies the source IP field of packets, but in the case of things like FTP a "helper" may be needed that modifies the actual payload of the packet.
A firewall can "block" a packet, of any type by:
- sending an ICMP message back saying the packet is rejected for a specific reason
- simply not responding at all
- then there's hacky stuff like tarpits.
The only way "statefulness" affects that is that a firewall is going to usually treat new TCP connections very differently from existing ones - there will be "new" and "established" traffic.
UDP by definition is NOT a connection-oriented protocol, so there is no state to keep track of as far as OSI layers 2-4 are concerned. All incoming UDP connections are treated as "new" or the same.
The server or client that uses UDP to communicate may keep track of some state (a teensy bit of state is needed for things like TFTP to work - the TFTP client/server keep track of that on their own). But the TCP/IP stack isn't supposed to.
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
Sounds like computer B is behind a NAT router. If this is true, then every machine behind that router will look like it has the same IP address from computer A's point of view.
When NAT is involved, outgoing traffic causes the NAT router to remember the originator of that traffic for that destination IP for a while, so that when traffic is received from that same destination IP address, the NAT router knows who to "give the traffic back to."
When the NAT router receives unexpected traffic from the "outside", it doesn't know who to "give the traffic back to" unless you tell it with port forwarding rules.
NAT isn't really concerned with the type of traffic, except that some protocols don't work well with NAT by default because IP addresses are coded into the payload of the protocols. NAT typically only modifies the source IP field of packets, but in the case of things like FTP a "helper" may be needed that modifies the actual payload of the packet.
A firewall can "block" a packet, of any type by:
- sending an ICMP message back saying the packet is rejected for a specific reason
- simply not responding at all
- then there's hacky stuff like tarpits.
The only way "statefulness" affects that is that a firewall is going to usually treat new TCP connections very differently from existing ones - there will be "new" and "established" traffic.
UDP by definition is NOT a connection-oriented protocol, so there is no state to keep track of as far as OSI layers 2-4 are concerned. All incoming UDP connections are treated as "new" or the same.
The server or client that uses UDP to communicate may keep track of some state (a teensy bit of state is needed for things like TFTP to work - the TFTP client/server keep track of that on their own). But the TCP/IP stack isn't supposed to.
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
answered Mar 28 '13 at 11:23
LawrenceC
58.5k10101179
58.5k10101179
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
add a comment |
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
A and B are not in the same network, and they are all with public IP, they are not behind NAT.
– user1944267
Mar 28 '13 at 11:37
add a comment |
up vote
0
down vote
Possible reasons are (1) firewalls (2) wrong routing information (3) NAT somewhere on the path, even if you don't know about it.
Debug the network with traceroute and ping from both sides, see what is in between both computers, and see where the block is.
(As the question is 5 years old, it's unlikely to get more details...)
answered Aug 30 at 6:25
dirkt
8,92731121
add a comment |
up vote
0
down vote
Possible reasons are (1) firewalls (2) wrong routing information (3) NAT somewhere on the path, even if you don't know about it.
Debug the network with traceroute and ping from both sides, see what is in between both computers, and see where the block is.
(As the question is 5 years old, it's unlikely to get more details...)
answered Aug 30 at 6:25
dirkt
8,92731121
add a comment |
up vote
0
down vote
up vote
0
down vote
Possible reasons are (1) firewalls (2) wrong routing information (3) NAT somewhere on the path, even if you don't know about it.
Debug the network with traceroute and ping from both sides, see what is in between both computers, and see where the block is.
(As the question is 5 years old, it's unlikely to get more details...)
answered Aug 30 at 6:25
dirkt
8,92731121
Possible reasons are (1) firewalls (2) wrong routing information (3) NAT somewhere on the path, even if you don't know about it.
Debug the network with traceroute and ping from both sides, see what is in between both computers, and see where the block is.
(As the question is 5 years old, it's unlikely to get more details...)
answered Aug 30 at 6:25
dirkt
8,92731121
answered Aug 30 at 6:25
dirkt
8,92731121
answered Aug 30 at 6:25
dirkt
8,92731121
answered Aug 30 at 6:25
dirkt
8,92731121
8,92731121
add a comment |
add a comment |
up vote
0
down vote
Just go into both firewalls or advanced firewall settings and create a rule for incoming/outgoing UDP with specific machine info or ips. Can also access via PS but I recommend going directly to the MMC or firewall.
answered Sep 30 at 20:03
Rebellia Rose
11
add a comment |
up vote
0
down vote
Just go into both firewalls or advanced firewall settings and create a rule for incoming/outgoing UDP with specific machine info or ips. Can also access via PS but I recommend going directly to the MMC or firewall.
answered Sep 30 at 20:03
Rebellia Rose
11
add a comment |
up vote
0
down vote
up vote
0
down vote
Just go into both firewalls or advanced firewall settings and create a rule for incoming/outgoing UDP with specific machine info or ips. Can also access via PS but I recommend going directly to the MMC or firewall.
answered Sep 30 at 20:03
Rebellia Rose
11
Just go into both firewalls or advanced firewall settings and create a rule for incoming/outgoing UDP with specific machine info or ips. Can also access via PS but I recommend going directly to the MMC or firewall.
answered Sep 30 at 20:03
Rebellia Rose
11
answered Sep 30 at 20:03
Rebellia Rose
11
answered Sep 30 at 20:03
Rebellia Rose
11
answered Sep 30 at 20:03
Rebellia Rose
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f573643%2fudp-packet-and-firewall%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
