"Firewall UDP Packet Source Port 53 Ruleset Bypass"

[fantasygoat]

My client is running some automated scanning tools on his website and it's returning this error. I'd like to know what ipfw rule I should put in place to block port 53 sourced packets.

Here's the rules we have now:

# Sockets that were allowed to be set up should be passed through
# quickly
add 01000 allow tcp from any to any established

# Open UDP services
add 03000 allow udp from any to any domain,ntalk,ntp
add 03000 allow udp from any domain,ntalk,ntp to any
add 03500 allow udp from any to any frag

# Open TCP services
add 04000 allow tcp from any to any http,https
add 04000 allow tcp from any to any smtp,domain,ntalk
add 04000 allow tcp from any to any auth

# Open ICMP services (required for normal networking)
add 05000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14

# Safety net
add 10000 deny all from any to any

 

[DutchDaemon]

add 03000 allow udp [B]from any domain[/B],ntalk,ntp to any

This rule allows incoming and outgoing packets from source port udp/53. Most modern nameservers use a random high source port nowadays, so this rule is most likely no longer necessary.

 

[J65nko]

Tcpdump fragment of a outgoing DNS query

192.168.222.244.31233 > 94.142.245.224.53:  12061%

The answer

94.142.245.224.53 > 192.168.222.244.31233:  12061*

Usually blocking incoming replies to DNS queries sent is not a good idea

I haven't used ipfw for several years, but AFAIK it supports stateful filtering. Just wondering why you are not using that.

 

[DutchDaemon]

I hadn't even considered anyone not using stateful filtering nowadays ...