Firewalls: Re: DNS Client Ports

Firewalls
(March 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DNS Client Ports
From:	lars @ spectrum . CMC . COM (Lars Poulsen)
Organization:	CMC Network Systems (Rockwell DCD), Santa Barbara, CA, USA
Date:	Sun, 14 Mar 93 04:10:04 GMT
Apparently-to:	firewalls @ greatcircle . com
Newsgroups:	list.firewalls
References:	<9303140222 . AA28805 @ TIS . COM>

Dave Mischler asks:
>>Should I allow "random" client ports through?  What are the security
>>implications?

In article <9303140222 .
 AA28805 @
 TIS .
 COM> mjr @
 TIS .
 COM (Marcus J Ranum) writes:
>	One implication is that anyone with a tunnelling driver can
>run IP tunnelled through your firewall using NS packets as the
>transport layer.
>
>	Yes, I have code that does this. ;)

You need to allow access to port 53 on your DNS server from ANYWHERE
unless you want to preclude many normal maintenance and troubleshooting
activities. (NSLOOKUP for example).

And no, you probably should not allow access to port 53 of other
machines inside to cross the firewall. The above is a good example why.
-- 
/ Lars Poulsen, SMTS Software Engineer	Internet E-mail: lars @
 CMC .
 COM
  CMC Network Products / Rockwell Int'l	Telephone: +1-805-968-4262	
  Santa Barbara, CA 93117-3083		TeleFAX:   +1-805-968-8256

References:

Re: DNS Client Ports
From: Marcus J Ranum <mjr @ TIS . COM>

Indexed By Date	Previous:	Re: DNS Client Ports From: Marcus J Ranum <mjr @ TIS . COM>
Indexed By Date	Next:	Re: DNS Client Ports From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread	Previous:	Re: DNS Client Ports From: Marcus J Ranum <mjr @ TIS . COM>
Indexed By Thread	Next:	Re: DNS Client Ports From: Amos Shapira <amoss @ cs . huji . ac . il>