Blocking UDP is Possible? Testing UDP Leaks?

[robbyjo]

Hi all,

I'm wondering whether it's possible / practical to block the entire outgoing UDP traffic of an intranet? I mean, I want to limit the UDP traffic only in the intranet, and thus I'd like to block all outgoing UDP ports. Is there any ramifications in doing this? Is it really worth it?

Moreover, once I block the entire UDP traffic, how can I test for the leaks? As far as I know, all firewall testers are testing only TCP traffic.

Do you have any idea of how to break / circumvent any of such ban? I can think of some tunneling can get around of this UDP traffic ban. Is there another way?

Thanks a lot.

[azuriel]

Generally speaking, most firewalls block inbound traffic, not outbound (look at http://www.securityfocus.com/infocus/1867, an article on Desktop Firewalls). However, blocking outbound UDP shouldn't interfere with basic web browsing and SSL and such.

Stateless protocols like UDP can be really annoying to make work with firewalls, just my warning before you slap down a blanket DROP rule.
_________________
Adopt an unanswered post
TJGames.org

The folly of mistaking a torrent of verbiage for a spring of capital truths, and oneself for an oracle, is inborn in us. -Valery

[troymc]

You might want to monitor that traffic first so you are aware of what you are blocking.

For example, DNS lookups will require outbound connections on UDP port 53.


You can use apps like tcpdump or ethereal to check for outbound UDP traffic.

Here's an example of using tcpdump to watch outbound UDP traffic on my DSL connection:

[robbyjo]

Thanks a lot. I'll monitor the UDP traffic first for a week or so and then decide whether it's a good idea or not.