Filtering of UDP

Filtering of UDP

While UDP headers also contain source and destination port numbers
and are very similar in structure to TCP headers, UDP headers do not
contain anything like an ACK bit, since this protocol gives none of the
assurances that TCP gives. By examining the header of an incoming

UDP packet, one cannot tell for instance, whether it is a first packet
from an external client to an internal server, or conversely, a response
from an external server to an internal client. In order to be able to make
a judgement, routers will have to ’remember’ which UDP packets have
already been sent, from what source, and to which destination.
Filtering of ICMP
ICMP messages, which are used to check IP status and control
messages, are filtered based on their message type field, rather than on
source or destination addresses. For instance echo requests (info that a
host returns when pinged) could be blocked, and ’destination
unreachable’ might be let through.
Problems Associated with ICMP Error Codes
Returning ICMP error codes can help reduce network traffic by
warning the sender not to retry sending packets. However, a general
problem with returning error codes and warnings of this kind is that
multiple errors may lead to a (rather unsophisticated) DoS attack, and
even worse, a systematic probe may disclose considerable information
about your system to an attacker observing which packets evoke an
ICMP error code. Thus, it is probably more sensible to send such
warnings to internal systems, and restrict, or even drop completely,
error codes towards the outside world.