udp packets and firewalls
Barry Margolin
barmar at genuity.net
Wed May 31 14:36:22 UTC 2000
In article <1.5.4.32.20000530234932.00689900 at pop.ma.ultranet.com>,
Wayne Vigeant <wvigeant at ma.ultranet.com> wrote:
>
>I'm currently working with a customer who has a single Internet
>access point. The customer's firewall allows dns queries from the
>Internet to pass through to an internal nameserver.
>The customer wants to add a second Internet access point and allow
>dns queries to pass through both of the Internet access points.
>
>The customer's firewall is a packet filter and allows UDP packets
>to port 53 to pass in either direction (inbound or outbound). Is
>it safe to say that since only UDP packets are being allowed that
>a query which comes in to the internal network through a firewall
>in Singapore can be replied to by a response which passes outward
>through a firewall in Tokyo?
>
>Does the nameserver making the query care if the reply follows the
>same path as the query? It would appear not to matter but I just want
>to be sure bind doesn't care.
In general, hosts don't know what path packets take on the Internet, so
it's not possible for them to care.
However, some firewalls are stateful, and only allow replies if they've
seen the request going in the opposite direction. So you need to find out
whether the Tokyo firewall is like this.
--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list