On Fri, May 09, 2003 at 09:47:01AM +0100, John.Airey_at_rnib.org.uk wrote:
> I've mentioned this issue before on this list (see the thread "SQL Slammer -
> lessons learned"), but I'll repeat it again. Your internal resolver only
> needs to connect to port 53 of external machines to send email to them. The
> connection back to your machine will be on a higher port. The Pix will use
> stateful filtering to allow the connection to the higher port (ie it detects
> that the connection was originated from the inside).
>
> Try "show conn prot udp" (or "show conn") on the firewall to see where the
> connections are really going. Even "netstat -a" on the server should give
> you some information about connections.
'protocol fixup dns 53' (from memory, I fortunately no longer admin
PIX firewalls for a living...) would affect both incoming and
outgoing DNS packets, regardless of what the outgoing query port
was...
--
David Terrell |
Prime Minister, NebCorp | Gary Hart for President!
dbt@meat.net | http://www.garyhartnews.com/hart/
http://wwn.nebcorp.com |
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on May 10 2003
Intro
