Low numbered source port for queries
Chad M. Stewart
Chad at Amotken.com
Fri Jul 20 22:42:04 UTC 2001
All,
The packet filters on my firewall are rejecting some DNS
queries to my name server. From the books that I've read
the rejections seem correct. Maybe the books are neglecting
to tell me something.
Below is my understanding of the possible packet flow over a
firewall when there is an authoritative DNS server behind it.
Sorry the syntax is for ipchains, but should be understandable
all the same.
The rejections in my log look like
Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
17=UDP
y.y.y.y - being the host on the Internet
x.x.x.x - being my system
The books I've read on dns and firewalls/packetfiltering don't
mention or I have not read of a situation where the protocol
is UDP and the source port is !=53 && <=1023. Instead the source
port should be either 53 or >=1024. Am I missing something
here or is the source server misconfiged?
# DNS - UDP - client --> server
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $DNS \
--destination $EXTERNAL_NETWORK $UNPRIVPORTS \
--protocol udp
ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $UNPRIVPORTS \
--destination $LOCALHOST $DNS \
--protocol udp
# DNS - TCP - client --> server or server --> server
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $DNS \
--destination $EXTERNAL_NETWORK $UNPRIVPORTS \
--protocol tcp ! -y
ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $UNPRIVPORTS \
--destination $LOCALHOST $DNS \
--protocol tcp
# DNS - UDP - server --> server
ipchains --append output \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $LOCALHOST $DNS \
--destination $EXTERNAL_NETWORK $DNS \
--protocol udp
ipchains --append input \
--jump ACCEPT \
--interface $EXTERNAL_INTERFACE \
--source $EXTERNAL_NETWORK $DNS \
--destination $LOCALHOST $DNS \
--protocol udp
Thank you,
Chad
More information about the bind-users
mailing list