Low numbered source port for queries

Chad M. Stewart Chad at Amotken.com
Fri Jul 20 22:42:04 UTC 2001



All,

The packet filters on my firewall are rejecting some DNS 
queries to my name server.  From the books that I've read
the rejections seem correct.  Maybe the books are neglecting 
to tell me something.

Below is my understanding of the possible packet flow over a 
firewall when there is an authoritative DNS server behind it. 
Sorry the syntax is for ipchains, but should be understandable
all the same.

The rejections in my log look like

Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53
Packet log: input DENY eth0 PROTO=17 y.y.y.y.y:1003 x.x.x.x:53

17=UDP
y.y.y.y - being the host on the Internet
x.x.x.x - being my system

The books I've read on dns and firewalls/packetfiltering don't
mention or I have not read of a situation where the protocol
is UDP and the source port is !=53 && <=1023.  Instead the source
port should be either 53 or >=1024.  Am I missing something 
here or is the source server misconfiged?


# DNS - UDP - client --> server
  ipchains --append        output \
           --jump          ACCEPT \
           --interface     $EXTERNAL_INTERFACE \
           --source        $LOCALHOST $DNS \
           --destination   $EXTERNAL_NETWORK $UNPRIVPORTS \
           --protocol      udp 


  ipchains --append        input \
           --jump          ACCEPT \
           --interface     $EXTERNAL_INTERFACE \
           --source        $EXTERNAL_NETWORK $UNPRIVPORTS \
           --destination   $LOCALHOST $DNS \
           --protocol      udp 


# DNS - TCP - client --> server   or   server --> server 
  ipchains --append        output \
           --jump          ACCEPT \
           --interface     $EXTERNAL_INTERFACE \
           --source        $LOCALHOST $DNS \
           --destination   $EXTERNAL_NETWORK $UNPRIVPORTS \
           --protocol      tcp ! -y 


  ipchains --append        input \
           --jump          ACCEPT \
           --interface     $EXTERNAL_INTERFACE \
           --source        $EXTERNAL_NETWORK $UNPRIVPORTS \
           --destination   $LOCALHOST $DNS \
           --protocol      tcp  


# DNS - UDP - server --> server 
  ipchains --append        output \
           --jump          ACCEPT \
           --interface     $EXTERNAL_INTERFACE \
           --source        $LOCALHOST $DNS \
           --destination   $EXTERNAL_NETWORK $DNS \
           --protocol      udp 


  ipchains --append        input \
           --jump          ACCEPT \
           --interface     $EXTERNAL_INTERFACE \
           --source        $EXTERNAL_NETWORK $DNS \
           --destination   $LOCALHOST $DNS \
           --protocol      udp 




Thank you,
Chad





More information about the bind-users mailing list