DNS & using the TCP/IP FIlter

  • Thread starter Thread starter Glenn
  • Start date Start date
G

Glenn

I have searched the news group for problems similar to
mine and found someone with virtually the same issus i
need help with. This person seems to describe it well. it
was originally posted on jun 3 2004....

"We have a windows 2000 server running IIS for public
access with 10 public IPs. The router is broken. We would
like to enable IP filtering to open the port 80 for the
web, 25 and 110 for the mail, and TCP and UDP 53 for the
DNS (we have only one NIC with all public IPs and use our
ISP DNS) before replacing the router. Every thing looks
good except DNS. We can ping any public Ip but can't ping
the web name llike yahoo.com. Nsllokup gets the time out
too. which ports do we need to open except tcp and udp 53?
Or do we miss some things?"

Can some one please explain this. What it might be.
ANother symptom is that if I turn off the IP filtering
(leave it wide open) everything works great. Please help
as i really dont like to leave this server in this
insecure way.
Thanks for your help,

Glenn
 
I can't help you with the specifics of filtering, but given how inexpensive
routers are, I'd replace it ASAP with a good firewall/router before I'd even
dream of hooking it up to the Internet....
 
I agree but my problem dosent envolve a router and i have
a few more ipaddresses all publis that and not subnetted
so there is not distinguishable router solution availabe
to me that i am aware of I am actually hosting about 50
sites all with specific IP addresses.

.. >-----Original Message-----
I can't help you with the specifics of filtering, but given how inexpensive
routers are, I'd replace it ASAP with a good
Click to expand...
firewall/router before I'd even
 
Glenn said:
I agree but my problem dosent envolve a router and i have
a few more ipaddresses all publis that and not subnetted
so there is not distinguishable router solution availabe
to me that i am aware of I am actually hosting about 50
sites all with specific IP addresses.
Click to expand...

Then I guess I'm not sure why the post you quoted is relevant - can you
repost with your actual question/problem?
 
The problem is dns to the internet dns servers uses udp port 53 "outbound" NOT
inbound. Unfortunately udp IP filtering can not keep track of the state of a
connection like tcp can. As a result the return traffic to your outbound dns request
will be a randomly assigned above 1024 unprivileged port which is blocked by your udp
IP filtering. You could try entering the first fifty ports above 1024 for udp and
maybe you will get lucky. I suggest you use ipsec filtering [using block and permit
filter actions] instead and configure a policy with first a mirrored block all IP
traffic for udp and then add a mirrored permit rule for dns such as, from any port,
from by IP address, to port 53, to any IP address [or ISP dns servers if not using
root hints]. The link below explains ipsec policies and filtering more. Ipsec
policies do not require rebooting and take effect almost immediately after being
assigned or unassigned. --- Steve

http://www.securityfocus.com/infocus/1559
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
 
Back
Top