Bob Sutterfield <bob @
# Does anybody let UDP packets through firewalls? Never let UDP
# through firewalls.
# What about DNS and NTP and other such benign stuff? They should all
# be handled by a proxy on the firewall or in a DMZ, right?
I let DNS through, but only because there's a quirk in BIND that lets
me do it with filters that only look at packet destination ports
(which is all most of the filtering implementations will let you look
at) without exposing any other UDP services.
The quirk is that when a BIND server talks to another name server,
both ends of the connection use port 53. Thus, I can allow only UDP
packets with a destination of port 53 (I don't need to allow all ports
>1023 for the return packets, like you must with most TCP services)
through the firewall, and DNS servers (or at least BIND-based servers)
on both sides of the firewall can talk to each other.
I haven't looked at NTP yet; none of the clients I've set up firewalls
for have requested it. If it uses a random port for one end of the
connection, I don't see any safe way to let NTP traffic through a
firewall that only looks at destination addresses; if you do, you'll
also end up exposing all RPC-based services, like YP and so forth.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041