This is for the inbound packet, so think of it from the packet's
perspective:

You need to allow any udp packet with source port > 1024 with any source
address back in if the destination address is in your subnet and the
destination udp packet is 53. The client queries 53 from >1024- that guy
has to come back in...

I applied this filter and it works perfectly.

HTH
---------------------------------
Attonbitus Deus
ThorHammerofGod.Com

----- Original Message -----
From: "Phil Cox" <Phil.CoxSYSTEMEXPERTS.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Thursday, April 05, 2001 4:10 PM
Subject: Re: Win2K port filtering, DNS

> > I'm trying to add Win2K port filtering (not via IPSec) to a Win2K
> > IIS Server, and it breaks dns as a client. I've allowed both 53 UDP and
> TCP.
>
> Remember that the client will use a "random" numbered high port (>1024
> typically) as the source port, and the destination is 53. So adding these
> filters will not do anything from the clients perspective.
>
> > Based on Philip Cox's 'Hardening Windows 2000' paper
> > (http://www.systemexperts.com/tutors/HardenW2K101.pdf)
> > I don't think I should even have to explicitly open port 53
> > to use dns as a client.
>
> You don't, TCP/IP port filtering is only for inbound connections.
>
> > In any case, with port filtering on, and 53 (tcp and udp) open,
> > dns times out. With port filtering off, dns works fine.
>
> What happens if you allow all UDP ports? I am wondering if it is the case
> that by blocking UDP packets, it block even the return packets (i.e.,
> srcport = 53, destport >1024), I thought there was a bit of statefulness
in
> it, but I'll have to check again.
>
> Nope, ... I get the same results. I'll have to investigate this, as I
don't
> have the answer off the top of my head ;(
>
> Phil

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]