[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ports to block?

Nate Duehr wrote:

> On Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > If you run a web server then open port 80 tcp, if you have SMTP inbound 
> > email then open port 25 tcp, if you run your own DNS for your domain 
> > then open port 53 udp.
> 
> You're going to be upset the first time you hit a site that has enough
> information in the DNS response to break the UDP size limit.  BIND
> will switch to TCP and you will drop the packets.

Thats resolving, which uses non-privelged ports.  Don't filter on remote
ports, its only going to get you in trouble.

Back on the server side:
If you run a dns server you should know if you need to provide TCP DNS
service or not as you know what content your DNS server contains.  Most
people don't have DNS record sets large enough to trigger a TCP lookup.
BIND's zone transfer protocol works over TCP however, so if you're acting
as a master you may have to open the tcp port to your slaves.  Ofcourse if
you're running BIND and you're concerned about security ...
There are better servers than BIND and there are better ways to transfer
zone information.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle 
 into a lion's mouth and flicking his lovespuds with a wet towel, pure 
 insanity..."						-Rimmer
Reply to: