Re: [IMail Forum] OT Win2000 TCP filtering

Tue, 02 Jan 2001 15:50:09 -0800 

Yeah, what he said.

Except BIND 8 & 9 allow you to specify query-source port 53. That makes
it a lot easier than opening the high UDP ports.

Mike

----- Original Message -----
From: "Don Brown" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 02, 2001 4:25 PM
Subject: Re: [IMail Forum] OT Win2000 TCP filtering


> At 04:50 PM 1/2/01 -0400, you wrote:
> >Hey guys,
> >
> >I am running Imail on Win2k, I am experimenting with  TCP filtering,
I have
> >opened the following ports:
> >
> >25 - SMTP
> >53 - DNS
> >80 - Webmail
> >100 - Spellchecker
> >110 - POP
> >8383 - EZSignup
> >
> >Imail can send mail to itself without problem, but fails to send mail
to any
> >other server. I have come to the conclusion that it is a DNS problem
since I
> >cannot perform nslookups (unless I remove the filtering)from the
server. As
> >far as I know, port 53 is DNS, I have opened both tcp and udp, anyone
have
> >any ideas? All other services work as they should, I can surf,
signup, etc,
> >etc.
> >
> >Craig Gittens
>
> Your firewall and/or TCP/UDP filtering must permit UDP (but not TCP)
> traffic to ports > 1023 on the DNS server.  Here's why:
>
> DNS client-to-server query
> source port >1023; destination port 53
>
> DNS server-to-client response
> source port 53; destination port > 1023
>
> DNS server-to-server query or response
> with udp on some servers, source & destination port is 53
> with tcp the requesting server will use a port > 1023
> servers that do not use UDP source port 53 are indistinguishable from
clients.
>
> Source: "Building Internet Firewalls, (2nd Edition, June 2000)" by
Zwicky,
> Cooper & Chapman
>
> HTH
>
>
> ----
> Don Brown - Dallas, Texas USA       Internet Concepts, Inc.
> [EMAIL PROTECTED]            http://www.inetconcepts.net
> PGP Key ID: 04C99A55                  (972) 788-2364  Fax: (972)
788-5049
> Providing Internet Solutions Worldwide - An eDataWeb Affiliate
> ----
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>


Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to