From owner-freebsd-net Thu Jul 27 1:58:51 2000 Delivered-To: freebsd-net@freebsd.org Received: from devnull.xpert.com (xpert.com [199.203.132.1]) by hub.freebsd.org (Postfix) with ESMTP id 46D3A37BACC for ; Thu, 27 Jul 2000 01:58:46 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from exchange.xpert.com ([199.203.132.115]) by devnull.xpert.com with esmtp (Exim 3.01 #1) id 13HjUg-0002rF-00 for net@freebsd.org; Thu, 27 Jul 2000 11:58:18 +0300 Received: by exchange.xpert.com with Internet Mail Service (5.5.2650.21) id ; Thu, 27 Jul 2000 12:00:41 +0300 Message-ID: <00BF97DD9F3FD311AB860060084E50DD311BBA@exchange.xpert.com> From: Yonatan Bokovza To: "'net@freebsd.org'" Subject: NAT and UDP Sessions Date: Thu, 27 Jul 2000 12:00:40 +0300 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="windows-1255" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I have problem with UDP packets that goes bidirectionally via NAT. NAT is implemented by many machines and softwares, and a common problem is to define what exactly IS a "UDP Session". UDP is sessionless, meaning there is no "first packet" or "last packet" or any kind of (standard) netgotiation). The model i'm referring to is client behind NAT talking to a known server in UDP. Now, i think CheckPoint's FireWall-1 NAT uses "Statefull Inspection" to allow the server's packets to get back to the client if the client send the first packet. FW-1 will allow returning (server to client) packets up to a default of 30 seconds since the client-to-server packet was sent. From Cisco's site i gathered that the default for IOS NAT (thus probably for Cisco's PIX FireWall) is 300 Seconds (5Min) since the last packet. Anyone has similar information regarding other NAT implementation? Regards, Yonatan. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message