commonly blocked ISP ports

• Previous message (by thread): commonly blocked ISP ports
• Next message (by thread): commonly blocked ports (but not on backbones)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 15 Sep 2005 10:29:27 +0300
Kim Onnel <karim.adel at gmail.com> wrote:

> 80 deny udp any any eq 1026 (3481591 matches)

If you don't already know, it might be worth looking at a detailed
breakdown of the source ports hitting that rule.  It may be blocking
a good amount of DNS and NTP traffic for instance.  If that is the
case, what you may find an acceptable alternative is to preface it
with rules like this so at at least your recursive DNS servers will
not have to maintain the recursive query in memory until it times out
and your time servers don't miss a poll:

  permit udp any eq 53 host [recursive-dns-server-address] eq 1026
  permit udp any eq 123 host [time-server-address] eq 1026

If a larger population of hosts are doing DNS then you'll have to
decide whether or how to open it further or accept occasional
failures.

Note, in my experience, many of the Windows-based worms tend to use
a source port > 1023, so while this opens an even bigger hole, you
could allow through all src ports < 1024, which should create less
breakage.  You filtering policy and security stance may not permit
the trade-off of course, but it's another option I've seen used.

John

• Previous message (by thread): commonly blocked ISP ports
• Next message (by thread): commonly blocked ports (but not on backbones)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]