|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Rich Wilson (wk633
YAHOO.COM)Date: Thu Apr 05 2001 - 16:10:26 CDT
> If you want to
> receive DNS answers on front-end you should allow UDP 53. On back-end
> there's (usually) no reason to block any traffic, so you may just permit all
> UDP/TCP ports on this adapter.
This is realted to my problem of Win2K port filtering breaking my DNS (as a
client). Someone else pointed out privately that since UDP doesn't have any
sense of an 'established' connection, the reply from the server's port 53 to
your port > 1024 won't get back. (Also, DNS does use TCP for packets too large
for UDP, which sometimes happens in cases other than zone transfers).
IMO port filtering on Win2K is mostly useless. In particular, if you want to
prevent certain services from using certain interfaces, then you will want to
prevent outbound traffic as well, in which case IPSec will do the job.
On that note, does anyone know of any way to automate the creation/application
of IPSec policies? I'm trying to use ipsecpol.exe which is in the IISLock
at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889, but my
reading the of the -? output is leading to user commands that have strange
effects :-)
=====
: __o
: -\<,
: 0/ 0
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]