TCP/IP Filtering

G

George

I am locking down a web server to be put on our DMZ. All
protocols are blocked and all ports are blocked except
the following:

TCP: 21, 25, 42, 53, 80 443, 3389, 8000
UDP: 42, 53, 20, 21

All of the sevices I need are working except the
following: DNS resoloution from the server and FTP from
the server; I'm able to ftp to the server, just not from
it. Does anyone know what additional ports I need to have
open in order for dns and ftp to work from the server?

Thanks
 
H

Herb Martin

DNS may be on either TCP or UDP 53 -- which
did you open? Which is causing the problem?

FTP usually needs TCP 20 for data (21 is used for
initiation and control.)
 
G

George

53 and 42 (name server) are open for both tcp and udp.
Ftp is working now, but dns is not. When I open all of
the udp ports, but only keep 20, 21, 53, 42, 80 and 443
for TCP open, It works fine. The problem seems to be with
the udp ports.
 
H

Herb Martin

George said:
53 and 42 (name server) are open for both tcp and udp.
Ftp is working now, but dns is not. When I open all of
the udp ports, but only keep 20, 21, 53, 42, 80 and 443
for TCP open, It works fine. The problem seems to be with
the udp ports.
Click to expand...

Also watch out for Source and Destination ports.

Client or internal server generally uses an ARBIRTRARY ("any")
port to contact the DNS server on port 53. Server responds from
53 to that arbitrary port.
 
T

TLW

I have the same issue.
Is there a way to solve this issue of the server responding to the DNS
server from an arbitrary port so that "bad" UDP ports can be blocked?
Possibly a product that will allow the server to use some ports as
arbitrary?
 
H

Herb Martin

TLW said:
I have the same issue.
Is there a way to solve this issue of the server responding to the DNS
server from an arbitrary port so that "bad" UDP ports can be blocked?
Possibly a product that will allow the server to use some ports as
arbitrary?
Click to expand...

Some clients can be told which address/port to use for
binding.

BIND can definitely do this -- Microsoft's RPC's can be locked
to certain ports with registry settings.

Not sure about MS DNS (vaguely think I may have read that but
this may be because I know I read this about BIND and have
seen the settings documented.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

W2K TCP/IP Filtering 3
Need help with IPSec 1
TCP/IP Filtering Problem 2
DNS & using the TCP/IP FIlter 4
TCP/IP Filtering 2
Need IPSec Help 1
TCP/IP Packet Filtering 10
File sharing between an AD Domain controller and a member server through a firewall 3

Top