[84556] in North American Network Operators' Group
Re: commonly blocked ISP ports
daemon@ATHENA.MIT.EDU (John Kristoff)
Thu Sep 15 15:21:46 2005
Date: Thu, 15 Sep 2005 14:21:14 -0500
From: John Kristoff <jtk@northwestern.edu>
To: nanog@merit.edu
In-Reply-To: <e05f392905091500297e5cdc45@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
On Thu, 15 Sep 2005 10:29:27 +0300
Kim Onnel <karim.adel@gmail.com> wrote:
> 80 deny udp any any eq 1026 (3481591 matches)
If you don't already know, it might be worth looking at a detailed
breakdown of the source ports hitting that rule. It may be blocking
a good amount of DNS and NTP traffic for instance. If that is the
case, what you may find an acceptable alternative is to preface it
with rules like this so at at least your recursive DNS servers will
not have to maintain the recursive query in memory until it times out
and your time servers don't miss a poll:
permit udp any eq 53 host [recursive-dns-server-address] eq 1026
permit udp any eq 123 host [time-server-address] eq 1026
If a larger population of hosts are doing DNS then you'll have to
decide whether or how to open it further or accept occasional
failures.
Note, in my experience, many of the Windows-based worms tend to use
a source port > 1023, so while this opens an even bigger hole, you
could allow through all src ports < 1024, which should create less
breakage. You filtering policy and security stance may not permit
the trade-off of course, but it's another option I've seen used.
John
