Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: DNS Client Ports
From: lars @ spectrum . CMC . COM (Lars Poulsen)
Organization: CMC Network Systems (Rockwell DCD), Santa Barbara, CA, USA
Date: Sun, 14 Mar 93 04:10:04 GMT
Apparently-to: firewalls @ greatcircle . com
Newsgroups: list.firewalls
References: <9303140222 . AA28805 @ TIS . COM>

Dave Mischler asks:
>>Should I allow "random" client ports through?  What are the security
>>implications?

In article <9303140222 .
 AA28805 @
 TIS .
 COM> mjr @
 TIS .
 COM (Marcus J Ranum) writes:
>	One implication is that anyone with a tunnelling driver can
>run IP tunnelled through your firewall using NS packets as the
>transport layer.
>
>	Yes, I have code that does this. ;)

You need to allow access to port 53 on your DNS server from ANYWHERE
unless you want to preclude many normal maintenance and troubleshooting
activities. (NSLOOKUP for example).

And no, you probably should not allow access to port 53 of other
machines inside to cross the firewall. The above is a good example why.
-- 
/ Lars Poulsen, SMTS Software Engineer	Internet E-mail: lars @
 CMC .
 COM
  CMC Network Products / Rockwell Int'l	Telephone: +1-805-968-4262	
  Santa Barbara, CA 93117-3083		TeleFAX:   +1-805-968-8256



References:
Indexed By Date Previous: Re: DNS Client Ports
From: Marcus J Ranum <mjr @ TIS . COM>
Next: Re: DNS Client Ports
From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread Previous: Re: DNS Client Ports
From: Marcus J Ranum <mjr @ TIS . COM>
Next: Re: DNS Client Ports
From: Amos Shapira <amoss @ cs . huji . ac . il>

Google
 
Search Internet Search www.greatcircle.com