[Dshield] UDP blocking

Kelly Martin kellym at fb00.fb.org
Fri Mar 15 19:53:03 GMT 2002


Some firewalls don't let you filter by source port, only by destination, or
don't let you open a source port to only a range of destination ports.
Opening port 53 to all destination ports is obviously a Very Bad Idea; you
at least have to close it to any ports on which you run actual services.

> -----Original Message-----
> From:	Nels Lindquist [SMTP:nlindq at maei.ca]
> Sent:	Friday, March 15, 2002 12:11 PM
> To:	list at dshield.org
> Subject:	RE: [Dshield] UDP blocking
> 
> On 14 Mar 2002 at 15:40, Kelly Martin wrote:
> 
> > DNS is UDP port 53.  Note also that queries go out (by default) on
> random
> > UDP ports, and the replies come back to the same port the query
> originated
> > from.  If you are not using a stateful firewall, you will have to either
> > open all of UDP or lock your DNS client down to use a specified query
> port.
> 
> You shouldn't have to open up *all* UDP traffic.  Allowing UDP 
> traffic from port 53 to unpriviledged ports (>=1024) should be 
> sufficient.
> 
> > If you have a trusted resolver you can use, you can open UDP only to
> that
> > trusted resolver.
> 
> As long as that trusted resolver will never refer your request to a 
> different server.
> Nels Lindquist <*>
> ----
> Quidquid latine dictum sit altum viditur.
> 
> Whatever is said in Latin, sounds profound.
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list