Hi, Presumably all your client machines on the inside access DNS at your ISP which is the normal practise.
You could tighten the rule so that it will only allow queries out/in from the specific primary/secondary DNS servers your ISP has. You might also want to check whether the DNS server that your ISP is using is emulating the bind 4 behaviour. This was to return queries on port 53 - so you can sometimes tighten the rule further so that it only accepts responses from your ISPs DNS server on port 53 I think this is covered in the O'Reilly Bind book - it's been a while ;-) Cheers, Steve On Thu, 2002-02-14 at 16:19, Daniel Crichton wrote: > On 14 Feb 2002 at 16:39, Rasmus Aaen wrote: > > > Another question about my newly inherited PIX. The following rules confuse > > me a bit: > > > > access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 any eq domain > > access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 eq domain any > > gt 1023 > > > > The first one is obvious - any machine on my subnet may do udp dns lookups. > > But I can't see any reason for the second one. Why would a machine start a > > connection from port 53 to a port above 1023? The same rule is in the > > outbound access-list: > > > > access-list acl_in permit udp any 195.215.xxx.xxx 255.255.255.240 eq domain > > access-list acl_in permit udp any eq domain 195.215.xxx.xxx 255.255.255.240 > > gt 1023 > > > > Can I just delete the two with destination ports above 1023? > > It looks like these have been added to allow outgoing and incoming DNS > replies to be allowed through the PIX after the normal UDP timeout has > passed. I'm pretty sure you won't need these, but you'll probably get a > few extra denied packets logged where DNS takes too long to reply. It's > probably safer to remove them too. But don't take my word for it - I still > a use static/conduit and outbound commands on my PIX 5.x as I haven't > taken the time to learn the new syntax and convert my existing rules. > > Dan > --- > D.C. Crichton email: [EMAIL PROTECTED] > Senior Systems Analyst tel: +44 (0)121 706 6000 > Computer Manuals Ltd. fax: +44 (0)121 606 0477 > > Computer book info on the web: > http://computer-manuals.co.uk/ > Want to earn money? Join our affiliate network! > http://computer-manuals.co.uk/affiliate/ > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
