TCP/IP Filtering

  • Thread starter Thread starter George
  • Start date Start date
G

George

I am locking down a web server to be put on our DMZ. All
protocols are blocked and all ports are blocked except
the following:

TCP: 21, 25, 42, 53, 80 443, 3389, 8000
UDP: 42, 53, 20, 21

All of the sevices I need are working except the
following: DNS resoloution from the server and FTP from
the server; I'm able to ftp to the server, just not from
it. Does anyone know what additional ports I need to have
open in order for dns and ftp to work from the server?

Thanks
 
DNS may be on either TCP or UDP 53 -- which
did you open? Which is causing the problem?

FTP usually needs TCP 20 for data (21 is used for
initiation and control.)
 
53 and 42 (name server) are open for both tcp and udp.
Ftp is working now, but dns is not. When I open all of
the udp ports, but only keep 20, 21, 53, 42, 80 and 443
for TCP open, It works fine. The problem seems to be with
the udp ports.
 
George said:
53 and 42 (name server) are open for both tcp and udp.
Ftp is working now, but dns is not. When I open all of
the udp ports, but only keep 20, 21, 53, 42, 80 and 443
for TCP open, It works fine. The problem seems to be with
the udp ports.

Also watch out for Source and Destination ports.

Client or internal server generally uses an ARBIRTRARY ("any")
port to contact the DNS server on port 53. Server responds from
53 to that arbitrary port.
 
I have the same issue.
Is there a way to solve this issue of the server responding to the DNS
server from an arbitrary port so that "bad" UDP ports can be blocked?
Possibly a product that will allow the server to use some ports as
arbitrary?
 
TLW said:
I have the same issue.
Is there a way to solve this issue of the server responding to the DNS
server from an arbitrary port so that "bad" UDP ports can be blocked?
Possibly a product that will allow the server to use some ports as
arbitrary?

Some clients can be told which address/port to use for
binding.

BIND can definitely do this -- Microsoft's RPC's can be locked
to certain ports with registry settings.

Not sure about MS DNS (vaguely think I may have read that but
this may be because I know I read this about BIND and have
seen the settings documented.)
 
Back
Top