| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030510051528.GA12948@pianosa.catch22.org> From: dbt at meat.net (David Terrell) Subject: Fw: [NTBUGTRAQ] Win 2003 DNS requests makes replies over 512 byte PIX limit On Fri, May 09, 2003 at 09:47:01AM +0100, John.Airey@...b.org.uk wrote: > I've mentioned this issue before on this list (see the thread "SQL Slammer - > lessons learned"), but I'll repeat it again. Your internal resolver only > needs to connect to port 53 of external machines to send email to them. The > connection back to your machine will be on a higher port. The Pix will use > stateful filtering to allow the connection to the higher port (ie it detects > that the connection was originated from the inside). > > Try "show conn prot udp" (or "show conn") on the firewall to see where the > connections are really going. Even "netstat -a" on the server should give > you some information about connections. 'protocol fixup dns 53' (from memory, I fortunately no longer admin PIX firewalls for a living...) would affect both incoming and outgoing DNS packets, regardless of what the outgoing query port was... -- David Terrell | Prime Minister, NebCorp | Gary Hart for President! dbt@...t.net | http://www.garyhartnews.com/hart/ http://wwn.nebcorp.com |
Powered by blists - more mailing lists