Re: TCP/IP Filtering Problem

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/07/04


Date: Tue, 07 Sep 2004 18:47:44 GMT

Unlike tcp/ip filtering for TCP, filtering for UDP is not "stateful" in that the
computer does not realize that the return traffic from dns servers on the internet
are responses to requests that the computer initiated. Port 53 UDP is the server port
for dns requests and not the port you would use as the client which could be any of
the above 1024 unprivileged ports. You will to disable filtering for UDP if you need
dns name resolution FROM your server. Note that internet users will still be able to
access your web server. You would only need to open port 53 UDP if that server is
also hosting dns for internet users and they would receive reply traffic since tcp/ip
filtering only blocks inbound traffic. You could use ipsec filtering to complement
your tcp/ip filtering and I suggest that you use a hardware firewall as your first
line of defense, even a cheap under $100 one will be a whole lot better than none at
all. The Netgear ProSafe line starts at under $100 and is a real SPI firewall. ---
Steve

http://www.securityfocus.com/infocus/1559
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832 -- explanation of
ipsec default exemptions and a registry mod to remedy.

"George Jewell" <gjewell@usdatalink.com> wrote in message
news:gRm%c.523$xA1.90@newsread3.news.pas.earthlink.net...
> Hello,
>
> I'm trying to lock down a Win2K server (Svc. Pak 4) for use as a web server
> and want to be as thorough as possible. I'd like to use TCP/IP Filtering,
> but have run into a snag. I have it set so that the following TCP ports are
> permitted: 21, 25, 53, and 80; and also UDP port 53. The problem is that it
> seems name resolution is not working. I can ping sites by IP address but not
> DNS names. Also, sending mail with the SMTP server does not work, and adds
> this entry to the system log: "message delivery to the remote domain
> <domain> failed for the following reason: destination server does not
> exist."
>
> When I allow all UDP ports, everything works fine. Obviously there are a few
> other UDP ports I must allow - does anyone have any suggestions as to which
> ports to open? Thanks.
>
>
>



Relevant Pages

  • Re: FTP Server Question
    ... >>understand why the server doesn't work when I disable UDP on the ports ... >>that you need both tcp and udp enabled and I've seen information that FTP ... I'm using non-standard ports with my server. ...
    (comp.security.firewalls)
  • Sip Softphone hinter ISA wie die Ports freigeben
    ... Ich möchte Softphone X-Lite auf den Clients hinter dem ISA Server betreiben, ... habe alle Ports etc frei gegeben -ohne Erfolg, ... UDP 8000, plus eins für jede weitere OnLine Verindung zb. 8001, 8002 etz ... UDP oder TCP 3478, 3479 ...
    (microsoft.public.de.german.isaserver)
  • Re: Security Policy, IP filtering
    ... AFAIK, hisecweb.inf does not include port filtering, though it does do other ... a production server without having a backup or knowledge of the current ... Definitely I would consider blocking all ports to and from your servers ... you can manually secure your servers using the instructions here: ...
    (microsoft.public.inetserver.iis.security)
  • Re: RIS auf dem ISA2004
    ... When ISA Server 2004 is installed, ... Open the complete range of UDP ports from the client to the TFTP ...
    (microsoft.public.de.german.isaserver)
  • RE: What UDP port to open to enable w2k server to surf the web us ing domain names
    ... If a DNS client asks a DNS server a question, ... This should work through IP filtering as 127.0.0.1 is not filtered. ... > UDP does not work well with TCP/IP filtering. ...
    (Focus-Microsoft)