[Dshield] UDP blocking
kellym at fb00.fb.org
Fri Mar 15 19:53:03 GMT 2002
Some firewalls don't let you filter by source port, only by destination, or
don't let you open a source port to only a range of destination ports.
Opening port 53 to all destination ports is obviously a Very Bad Idea; you
at least have to close it to any ports on which you run actual services.
> -----Original Message-----
> From: Nels Lindquist [SMTP:nlindq at maei.ca]
> Sent: Friday, March 15, 2002 12:11 PM
> To: list at dshield.org
> Subject: RE: [Dshield] UDP blocking
> On 14 Mar 2002 at 15:40, Kelly Martin wrote:
> > DNS is UDP port 53. Note also that queries go out (by default) on
> > UDP ports, and the replies come back to the same port the query
> > from. If you are not using a stateful firewall, you will have to either
> > open all of UDP or lock your DNS client down to use a specified query
> You shouldn't have to open up *all* UDP traffic. Allowing UDP
> traffic from port 53 to unpriviledged ports (>=1024) should be
> > If you have a trusted resolver you can use, you can open UDP only to
> > trusted resolver.
> As long as that trusted resolver will never refer your request to a
> different server.
> Nels Lindquist <*>
> Quidquid latine dictum sit altum viditur.
> Whatever is said in Latin, sounds profound.
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list