> I'm trying to add Win2K port filtering (not via IPSec) to a Win2K
> IIS Server, and it breaks dns as a client. I've allowed both 53 UDP and
TCP.

Remember that the client will use a "random" numbered high port (>1024
typically) as the source port, and the destination is 53. So adding these
filters will not do anything from the clients perspective.

> Based on Philip Cox's 'Hardening Windows 2000' paper
> (http://www.systemexperts.com/tutors/HardenW2K101.pdf)
> I don't think I should even have to explicitly open port 53
> to use dns as a client.

You don't, TCP/IP port filtering is only for inbound connections.

> In any case, with port filtering on, and 53 (tcp and udp) open,
> dns times out. With port filtering off, dns works fine.

What happens if you allow all UDP ports? I am wondering if it is the case
that by blocking UDP packets, it block even the return packets (i.e.,
srcport = 53, destport >1024), I thought there was a bit of statefulness in
it, but I'll have to check again.

Nope, ... I get the same results. I'll have to investigate this, as I don't
have the answer off the top of my head ;(

Phil

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]