Apple allows source port 53, and >1023. So, doing nslookup will
work (>1023) and non-NATted DNS lookups work (53) but FW-1
hide NAT will place you (IIRC) in the 500-800 range for a source port,
which Apple will drop.
Bad Apple! No marketshare! :)
Intel does (or did at least) the same. There are others.
My solution was to use static NAT for my inside DNS servers.
Ryan
Drifting away from the topic now...
It would sound like Apple had their firewall setup to only allow
DNS queries originating from port 53, alternatively had their
DNS server setup to only accept queries originating from port 53.
... If this is true... Uhh.. Sounds like asking for a lot of
problems to me, and it doesn't sound like it'd increase security
either.
I tried nslookup'ing www.apple.com just now (using their server
directly ), and it worked just fine. Knowing that nslookup
sure as hell doesn't originate its queries from port 53, and knowing
that our firewall translates my query to a source port well
above 1024, it would seem this is not a problem (any more)?
That is, unless they allow port 53, 1024--65535, but nothing
else below 1024, which I have no way to verify right now without
fooling around with out firewall setup. Call me lazy :-P
Regards,
Mike
"Burgess, Jeff" wrote:
>
> I'm curious as to why you mentioned Apple.Com specifically? I've noticed
> that apple has been having ALLOT of problems lately, could be your problem
> is not internal and is actually Apple's problem... Or is this happening
> with other sites as well?
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
