TCP Versus UDP with CBAC
TCP has clear-cut connections, so CBAC (and other stateful inspection and filtering methods) can
handle it rather easily. However, CBAC works at a deeper level than simply protocols and port
numbers. For example, with FTP traffic, CBAC recognizes and inspects the specific FTP controlchannel
commands to decide when to open and close the temporary firewall openings.
By comparison to TCP, UDP traffic is connectionless and therefore more difficult to handle. CBAC
manages UDP by approximating based on factors such as whether the source and destination
addresses and ports of UDP frames are the same as those that came recently, and their relative
timing. You can configure a global idle timeout that CBAC uses to determine whether a segment
arrived “close enough” in time to be considered part of the same flow. You can also configure other
timeouts, including protocol-specific timeouts for TCP and UDP traffic.