Re: TCP/IP Filtering
From: Toni Lassila (mpao@mc-europe.com)
Date: 10/22/02
- Next message: Salam: "XFER"
- Previous message: Torgeir Bakken (MVP): "Re: hotfixes"
- In reply to: dave kleiman: "TCP/IP Filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: mpao@mc-europe.com (Toni Lassila) Date: 22 Oct 2002 01:54:55 -0700
"dave kleiman" <dave@netmedic.net> wrote in message news:<9f9001c27969$53e70050$35ef2ecf@TKMSFTNGXA11>...
> I have discovered (not sure if that is the right word) an
> interesting thing in reference to using TCP/IP Filtering
> on a W2000 client.
>
> I was attempting to setup my home system using the built
> in TCP/IP Filtering. I Allowed only Ports 25 Mail, 53
> DNS, 67&68 DHCP, and 80&443 Internet.
Looks like you're using TCP instead of UDP. See:
<http://groups.google.com/groups?selm=b11796dd.0209032255.46f2ef66%40posting.google.com>
> Well I found out that DNS returns to a client on a port
> >1024. So I picked the first 3 unassigned above 1024
> ports. Well that worked until the third time I opened a
> web browser (no DNS resolution). I looked with NETSTAT -na
> and found that it was now trying to use a port higher than
> the 3 I selected. I opened up 10 more >1024 ports. Well
> the worked till about the 7th time I opened the web
> browser.
This should not be necessary. Any stateful firewall is assumed
to automatically keep track of opened TCP-connections, and allow
incoming responses to dynamic ports when appropriate.
There should rarely be a reason for adding "allow" rules for
dynamic ports. DNS queries are definately not such a reason.
- Next message: Salam: "XFER"
- Previous message: Torgeir Bakken (MVP): "Re: hotfixes"
- In reply to: dave kleiman: "TCP/IP Filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
