[EMAIL PROTECTED] wrote: >I am trying to modify my access-list so that we allow DNS queries to traverse >the network but no other UDP traffic. > >This is what I have coded but it doesn't work: > >access-list 105 permit udp any any eq 53 >access-list 105 deny udp any any > >What we are trying to do is allow our internal DNS servers to query our external >DNS servers if the request is not in local cache. We put a sniffer on it and >found that the request was going from port 53 to port 53. This is different >behavior than a client request. First, if you use the "log" operand on the deny statements the blocked packets will appear in the log. This is useful when you need to understand why some desired traffic is being blocked. Second, for dns to work correctly you also need to allow tcp. Perhaps you've done that elsewhere, but I'll show it below. The following access list excerpt assumes the destination addresses (the second address in each statement) are the ones being protected and are being allowed to send but not receive dns queries: access-list 121 permit udp any any eq domain access-list 121 permit udp any any range 1024 5999 access-list 121 permit tcp any any established access-list 121 deny any any log Tony Rall - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
