Correct Ports?
Adam Lang
aalang at rutgersinsurance.com
Wed Jun 6 19:42:12 UTC 2001
The firewall security doesn't seem to make much sense.
You're trying to restrict things based on the ports they are coming from
also? You're going to go loco.
In regards to DNS, block everything unless the destination port is 53.
Other than that, you shouldn't really care what the originating port is.
Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Peter Billson" <pete at elbnet.com>
To: "Michael Kjorling" <michael at kjorling.com>
Cc: "BIND-Users" <bind-users at isc.org>
Sent: Wednesday, June 06, 2001 2:30 PM
Subject: Re: Correct Ports?
>
> > This setup seems reasonable to me - however, what reason do you have
> > for _not_ allowing incoming DNS packets from privileged ports != 53?
>
> > I have still failed to see what harm it could do if a DNS request came
> > from e.g. the FTP port. After all, it's the destination port (service
> > in IPv6) that matters, not the source port. That one is just there to
> > help route incoming reply packets to the correct application.
>
> Well two purposes to my question:
>
> 1) Trying to make sure my firewall is as restrictive as possible without
> breaking things.
>
> 2) With the firewall set as described I have been logging a number of
> packets that would get rejected. While some seem to be real DNS requests
> (i.e. 10-15 packets logged and tries on multiple name servers if the
> first fails), a great many seem to be bogus requests (i.e. only one or
> two packets and only to one server). Reverse look ups of the IPs often
> do not resolve to anything which makes me wonder if it isn't just people
> probing away looking for a weakness.
>
> Pete
> --
> http://www.elbnet.com
> ELB Internet Services, Inc.
> Web Design, Computer Consulting, Internet Hosting
More information about the bind-users
mailing list