Re: 53 udp/tcp
From: Ric Griffy (alakevue.at@tampabay.rr.com)
Date: 11/28/02
- Next message: Dave Sinclair: "Re: Netscreen 5 VIP problems"
- Previous message: hazard: "Kazaa Block !"
- In reply to:(deleted message) Juergen Nieveler: "Re: 53 udp/tcp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ric Griffy" <alakevue.at@tampabay.rr.com> Date: Thu, 28 Nov 2002 16:10:18 GMT
I would also restrict outgoing port 53 to the IP's of your ISP only.
Ric Griffy
"Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> wrote in message
news:Xns92D4A2494B75Cjuergennieveler@nieveler-43544.user.cis.dfn.de...
> "Doug Fox" <dfox168@hotmail.com> wrote:
>
> > The rule (FW-1) allows out-bound (out-going) traffic. Could
> > "external" intruders tunnel their traffic through that port? How is
> > it achieved?
>
> Not external intruders.
>
> But internal users could use port 53 just like any other port to tunnel
> requests through it, thus circumventing the firewall.
>
> As an example, take all those HTTP-Tunneling-systems: They forward
> traffic addressed to a local proxy via Port 80 to another system that
> has a specific proxy running and re-transmits the data to the intended
> systems.
>
> As this rule is for port 53, I'm guessing that you want to give your
> users the ability to use DNS. How about setting up a local DNS server
> that forwards the DNS requests to the Internet (and also caches DNS)?
>
> That way, you only have to allow one server to access the Internet
> directly.
>
>
- Next message: Dave Sinclair: "Re: Netscreen 5 VIP problems"
- Previous message: hazard: "Kazaa Block !"
- In reply to:(deleted message) Juergen Nieveler: "Re: 53 udp/tcp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
