"Firewall UDP Packet Source Port 53 Ruleset Bypass"
A client is running a security scan on his website and getting the following critical hit:
Quote:
|
It sounds like you've got a firewall rule which allows incoming UDP packets with source port 53. If so, maybe get rid of that rule and rely on the ESTABLISHED match?
|
The problem is, when I block anything with a source port of 53, all DNS queries fail, even though I expressly open all traffic from local addresses.
|
Quote:
Code:
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT |
The very first rule in the list is to allow established connections.
|
Okay, let's see the configuration of your INPUT and OUTPUT chains.
Code:
iptables -nvL INPUT |
Alas, this box is running ipfw, not iptables! It's quite old. I was hoping some general firewall knowledge would help.
|
Quote:
If this is GNU/Linux, then anything before iptables will be stateless AFAIK. |
FWIW, a stateless workaround for the issue mentioned in the raised alert would be to add the DNS server's IP as a source address to your current source port rule, thereby making it much more specific.
|
All times are GMT -5. The time now is 10:37 PM. |