How UDP connection state is processed in Stateful Inspection

UDP connection​s in Statefull Firewalls

UDP connections are simplier to maintain, as they are stateless.  When a UDP packet is allowed through the firewall (based on the rulebase) a entry is added to the connections table.  Any UDP packet can return within the timeout period (default 40 seconds) as long as both the SRC/DST IP addresses and SRC/DST ports match.  For example, below is a DNS query.

 

Src_IP          Src_Prt Dst_IP          Dst_Prt IP_prot Kbuf    Type    Flags           Timeout

192.168.1.10    1111    136.1.1.20      53      17      0       16386   ff01ff00        34/40

192.168.1.10    1111    136.1.1.20      0       17      0       16386   ff01ff00        34/40

Here you see the system 192.168.1.10 doing a dns query to the server 136.1.1.20.  For 40 seconds (Timeout) that system can return as many UDP packets as it wants, as long as both the SRC/DST IPs match, and the SRC/DST ports match.  Notice how there is two entries, both are identical execept for the Dst_Prt, which is 53 and 0.  I do not know why FW-1 creates a second entry for a Dst_Prt of 0.  However, this is common for most, if not all UDP traffic that FW-1 filters.