UDP is stateless so naturally it's a bit harder to do a reliable job of keeping state
on it. Nonetheless, ipf does a pretty good job. When machine A sends a UDP packet to
machine B with source port X and destination port Y, ipf will allow a reply from machine
by to machine A with source port Y and destination port Y. This is is a short term state
entry, a mere 60 seconds.
Here's an example of what happens if we use nslookup to get the IP address of
$ nslookup www.3com.com
A DNS packet is generated:
17:54:25.499852 220.127.116.11.2111 > 18.104.22.168.53: 51979+
The packet is from 22.214.171.124, port 2111, destined for 126.96.36.199, port 53. A 60 second state entry is created. If a packet comes back from 188.8.131.52 port 53 destined for 184.108.40.206 port 2111 within that period of time, the reply packet will be let through. As you can see, milliseconds later:
17:54:25.501209 220.127.116.11.53 > 18.104.22.168.2111: 51979 q: www.3com.com
The reply packet matches the state criteria and is let through. At that same moment that packet is let through, the state gateway is closed and no new incoming packets will be allowed in, even if they claim to be from the same place.