Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Attonbitus Deus (ThorHAMMEROFGOD.COM)
Date: Fri Apr 06 2001 - 12:46:14 CDT
This is for the inbound packet, so think of it from the packet's
You need to allow any udp packet with source port > 1024 with any source
address back in if the destination address is in your subnet and the
destination udp packet is 53. The client queries 53 from >1024- that guy
has to come back in...
I applied this filter and it works perfectly.
----- Original Message -----
From: "Phil Cox" <Phil.CoxSYSTEMEXPERTS.COM>
Sent: Thursday, April 05, 2001 4:10 PM
Subject: Re: Win2K port filtering, DNS
> > I'm trying to add Win2K port filtering (not via IPSec) to a Win2K
> > IIS Server, and it breaks dns as a client. I've allowed both 53 UDP and
> Remember that the client will use a "random" numbered high port (>1024
> typically) as the source port, and the destination is 53. So adding these
> filters will not do anything from the clients perspective.
> > Based on Philip Cox's 'Hardening Windows 2000' paper
> > (http://www.systemexperts.com/tutors/HardenW2K101.pdf)
> > I don't think I should even have to explicitly open port 53
> > to use dns as a client.
> You don't, TCP/IP port filtering is only for inbound connections.
> > In any case, with port filtering on, and 53 (tcp and udp) open,
> > dns times out. With port filtering off, dns works fine.
> What happens if you allow all UDP ports? I am wondering if it is the case
> that by blocking UDP packets, it block even the return packets (i.e.,
> srcport = 53, destport >1024), I thought there was a bit of statefulness
> it, but I'll have to check again.
> Nope, ... I get the same results. I'll have to investigate this, as I
> have the answer off the top of my head ;(