This might be because normally PIX only allows first DNS reply back to resolver (security feature). So in your case also following ones are allowed.
rgds, Harri -----Original Message----- From: Rasmus Aaen [mailto:[EMAIL PROTECTED]] Sent: 14. helmikuuta 2002 17:40 To: '[EMAIL PROTECTED]' Subject: PIX dns rule Hi again, Another question about my newly inherited PIX. The following rules confuse me a bit: access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 any eq domain access-list acl_out permit udp 195.215.xxx.xxx 255.255.255.240 eq domain any gt 1023 The first one is obvious - any machine on my subnet may do udp dns lookups. But I can't see any reason for the second one. Why would a machine start a connection from port 53 to a port above 1023? The same rule is in the outbound access-list: access-list acl_in permit udp any 195.215.xxx.xxx 255.255.255.240 eq domain access-list acl_in permit udp any eq domain 195.215.xxx.xxx 255.255.255.240 gt 1023 Can I just delete the two with destination ports above 1023? Thanks /Rasmus ------- [Denne E-mail blev scannet for virus af Declude Virus] [This E-mail was scanned for viruses by Declude Virus] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
