The reply coming back will be on a random numbered port greater than 1023,
if you open up all UDP ports greater than 1023 then the response will be
allowed back in. Also you probably don't need to permit TCP domain. ALl DNS
lookups happen using UDP port 53. DNS zone transfers (which only need to
happen between primary and secondary servers) are the only machines which
need TCP port 53. So if you permit UDP port 53 out and UDP greater than
1023 back in it should work fine. If you want to make your filters a bit
beefier you could permit only packets which have a destination port of UDP
>1023 and a source port of UDP 53 (since the response will be coming from a
DNS server it will be on UDP port 53).
Tom
At 11:22 AM 5/18/00 +0300, Palis Michael wrote:
>>>>
I am configuring an access-list in oder to allow only WWW and DNS to go
into my net.
Here is the configuration
internet----router--internal network
access list is
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 deny ip any any
the access list in applied as inbound to serial interface of the router
The problem is that user on the internal netwotk cannot browse. I beileve
that the above access-list denies the reply packets from the internet.
Any suggestion will be appreciated
<<<<
Tom Pruneau
Trainer Network Operations
GENUITY
3 Van de Graff Drive Burlington Ma. 01803
24 Hr. Network Operations Center 800-436-8489
If you need to get a hold of me my hours are 7AM-3PM ET Mon-Fri
---------------------------------------------------------------------------
This email is composed of 82% post consumer recycled data bits
---------------------------------------------------------------------------
"Once in a while you get shown the light
in the strangest of places if you look at it right"
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
