BIND ignores queries from specific privileged source ports
Blake Hudson
blake at ispn.net
Tue Jun 11 15:25:47 UTC 2019
Tony Finch wrote on 6/11/2019 4:23 AM:
> Mark Andrews <marka at isc.org> wrote:
>
>> As for the NAT box that chooses those ports. If you can’t keep the
>> original port it should choose a ephemeral port at random. Choosing a
>> well known port is problematic for lots of reasons.
> If I understand the documentation that was linked previously
> https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/nat-basics.html#ID-2090-00000438
> I think the option that does the right thing is "flat" without
> "include-reserve".
>
>
Yes, that was my understanding as well. Unfortunately the flat option is
not available in most NAT modes and seems to present itself only when
also using a PAT pool in a manual (twice) NAT configuration.
Interestingly enough, older versions of the ASA (7.x) did not require
this extra configuration as they did not attempt to use source ports
below 1024 for PAT. I'm sure there's a reason Cisco added the newer
logic in ASA 8.x which sometimes does use ports < 1024, I'm just not
sure what that reason could have been.
--Blake
More information about the bind-users
mailing list