I have a question related to how PIX/ASA firewalls maintain UDP session information. My understanding is that when there is a UDP connection from a lower to a higher security zone, the UDP server (e.g. DNS) in the higher security zone responds to the UDP query even if the outbound UDP is blocked (i.e. even if there is excplicit ACL blocking DNS traffic from inside to outside).
So, how would the FW track the different UDP sessions while UDP is connectionless protocol. I can understand it with TCP as TCP sessions have unique session numbers, but how is that dealt with UDP protocols?
TCP doesn't have a notion of a session number. Hosts track TCP sessions the same way as UDP; Via the 4-tuple of the connection ip's and ports.