NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2002-04

From: Dan Lukes (danobluda.cz)
Date: Mon Apr 22 2002 - 19:23:41 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Len Conrad wrote:

> On egress, bind will query via udp/tcp on port > 1023.

... unless your named.conf say something other.

Because you must have open local port 53 for INcoming questions and for
OUTgoing replies already you may decide to select port 53 as source for
your own OUTgoing questions (e.g. INcoming replies) also -> simple
configuration of firewall; no need for (random) ports >1023 -> no need
for "keep-state" (possible subject of DoS) rules.

Dan

-- Dan Lukes, SISAL, MFF UK tel: +420 2 21914205, fax: +420 2 21914206 AKA: dan

obluda.cz, dan

freebsd.cz, dan

kolej.mff.cuni.cz, dan

fio.cz

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]