DCCP and legacy firewalls.
DCCP and legacy firewalls.
Posted Sep 1, 2005 16:19 UTC (Thu) by Duncan (guest, #6647)In reply to: Linux gets DCCP by imcdnzl
Parent article: Linux gets DCCP
What does DCCP look like to a legacy firewall. You mention that it's
designed to work well with firewalls, but how would I implement "allow"
filters on a default-deny policy firewall, that only understands legacy
protocols? Would DCCP look to it like UDP? IOW, is it UDP with
additional protocol info in what would be the UDP payload, thus recognized
as UDP by legacy routers, or ??? If so, are there NAPT/masquerade
implications similar to those with FTP and various VoIP and security
protocols, or not?
I ask as I run one of those legacy things, one of the first-gen consumer
level NAPT based broadband routers. At some point, I'll likely replace it
with a Linux based appliance and therefore benefit from community firmware
projects, but my old Netgear rt314 has and continues to serve me well, so
why mess with a good thing until I need to?
OTOH, it'll probably be another year or more before there's enough out
there using DCCP in working deployments to be worrisome, particularly if
MSWormOS support lags, and by then I may well have upgraded routers, but
there'll still certainly be others who haven't.
Duncan
Posted Sep 1, 2005 21:34 UTC (Thu)
by psiren (guest, #29126)
[Link]
Many firewalls support protocols other than the common TCP, UDP and ICMP, so theres no specific reason to think you won't be able to pass the data through. However, there may not be direct support for checking anything inside the packets headers, as the software would need to understand the protocol to extract this information.
Posted Sep 4, 2005 22:53 UTC (Sun)
by imcdnzl (guest, #28899)
[Link]
Of course you have to allow protocol 33 through as another poster says which on some equipment may cause problems.
I'm far from an expert, but having had a quick glance through the RFC, section 19 refers to the protocol number for DCCP being 33 (probably). UDP uses 17, so it will be seen as distinct and different from UDP. Take a quick glance at /etc/protocols to see how many there are (more than you probably realise, not that you use many of them day to day).DCCP and legacy firewalls.
What I meant by friendly to firewalls is that it is easy to track sessions (much easier than UDP where there are no direct sessions). That is one of the main reasons why media applications fall back to TCP...DCCP and legacy firewalls.