On 14 Feb 2002 at 16:39, Rasmus Aaen wrote: > Another question about my newly inherited PIX. The following rules confuse > me a bit: > > access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 any eq domain > access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 eq domain any > gt 1023 > > The first one is obvious - any machine on my subnet may do udp dns lookups. > But I can't see any reason for the second one. Why would a machine start a > connection from port 53 to a port above 1023? The same rule is in the > outbound access-list: > > access-list acl_in permit udp any 195.215.xxx.xxx 255.255.255.240 eq domain > access-list acl_in permit udp any eq domain 195.215.xxx.xxx 255.255.255.240 > gt 1023 > > Can I just delete the two with destination ports above 1023?
It looks like these have been added to allow outgoing and incoming DNS replies to be allowed through the PIX after the normal UDP timeout has passed. I'm pretty sure you won't need these, but you'll probably get a few extra denied packets logged where DNS takes too long to reply. It's probably safer to remove them too. But don't take my word for it - I still a use static/conduit and outbound commands on my PIX 5.x as I haven't taken the time to learn the new syntax and convert my existing rules. Dan --- D.C. Crichton email: [EMAIL PROTECTED] Senior Systems Analyst tel: +44 (0)121 706 6000 Computer Manuals Ltd. fax: +44 (0)121 606 0477 Computer book info on the web: http://computer-manuals.co.uk/ Want to earn money? Join our affiliate network! http://computer-manuals.co.uk/affiliate/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
