Randoming ports and firewall rules
Mike Hoskins (michoski)
michoski at cisco.com
Fri Feb 15 19:44:57 UTC 2013
-----Original Message-----
From: Robert Moskowitz <rgm at htt-consult.com>
Date: Friday, February 15, 2013 1:33 PM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Randoming ports and firewall rules
>So it is past time for me to only use port 53 and support port
>randomization. But I do run iptables (and ip6tables) and the server
>sits behind a Juniper SSG firewall.
>
>Where are there instructions for setting up iptables for port
>randomization
>
>and for general firewall rules (I doubt I will find specific for my
>Juniper).
I'm likely misunderstanding the question, but I think stateful firewalls
will address this for you. Unlike the days of ipchains, iptables makes
this easy...as should any commercial firewall. The idea being that when
you receive a query on 53/tcp or 53/udp and answer back on a random src
port, that entire conversation is tracked as one session and therefore
succeeds without a bunch of extra rules (the stateful rules are generated
and expired on the fly).
https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall
Fully agreed that you need to leverage src port randomization in the
modern world.
More information about the bind-users
mailing list