"Firewall UDP Packet Source Port 53 Ruleset Bypass"
 

A client is running a security scan on his website and getting the following critical hit:

Anyone know how to prevent this critical trigger but still allow DNS lookups on the server?

It sounds like you've got a firewall rule which allows incoming UDP packets with source port 53. If so, maybe get rid of that rule and rely on the ESTABLISHED match?

The problem is, when I block anything with a source port of 53, all DNS queries fail, even though I expressly open all traffic from local addresses.

Then you're not using the ESTABLISHED state.If you execute that command, your DNS queries should work just fine without the need for any source port rules.

The very first rule in the list is to allow established connections.

Okay, let's see the configuration of your INPUT and OUTPUT chains.If this is a dedicated firewall (instead of host-based), post the FORWARD chain instead.

Alas, this box is running ipfw, not iptables! It's quite old. I was hoping some general firewall knowledge would help.

You mean ipfw as in the FreeBSD firewall?

If this is GNU/Linux, then anything before iptables will be stateless AFAIK.

FWIW, a stateless workaround for the issue mentioned in the raised alert would be to add the DNS server's IP as a source address to your current source port rule, thereby making it much more specific.