nanog mailing list archives
Re: commonly blocked ISP ports
From: John Kristoff <jtk () northwestern edu>
Date: Thu, 15 Sep 2005 14:21:14 -0500
On Thu, 15 Sep 2005 10:29:27 +0300 Kim Onnel <karim.adel () gmail com> wrote:
80 deny udp any any eq 1026 (3481591 matches)
If you don't already know, it might be worth looking at a detailed breakdown of the source ports hitting that rule. It may be blocking a good amount of DNS and NTP traffic for instance. If that is the case, what you may find an acceptable alternative is to preface it with rules like this so at at least your recursive DNS servers will not have to maintain the recursive query in memory until it times out and your time servers don't miss a poll: permit udp any eq 53 host [recursive-dns-server-address] eq 1026 permit udp any eq 123 host [time-server-address] eq 1026 If a larger population of hosts are doing DNS then you'll have to decide whether or how to open it further or accept occasional failures. Note, in my experience, many of the Windows-based worms tend to use a source port > 1023, so while this opens an even bigger hole, you could allow through all src ports < 1024, which should create less breakage. You filtering policy and security stance may not permit the trade-off of course, but it's another option I've seen used. John
Current thread:
- commonly blocked ISP ports Luke Parrish (Sep 14)
- Re: commonly blocked ISP ports Valdis . Kletnieks (Sep 14)
- Re: commonly blocked ISP ports Luke Parrish (Sep 14)
- Re: commonly blocked ISP ports Larry Smith (Sep 14)
- Re: commonly blocked ISP ports brett watson (Sep 14)
- Re: commonly blocked ISP ports Michael Tokarev (Sep 15)
- Re: commonly blocked ISP ports Jim Popovitch (Sep 15)
- Re: commonly blocked ISP ports Luke Parrish (Sep 14)
- Re: commonly blocked ISP ports Valdis . Kletnieks (Sep 14)
- Re: commonly blocked ISP ports Kim Onnel (Sep 15)
- Re: commonly blocked ISP ports Petri Helenius (Sep 15)
- Re: commonly blocked ISP ports John Kristoff (Sep 15)
- <Possible follow-ups>
- Re: commonly blocked ISP ports Scott Weeks (Sep 14)
- Re: commonly blocked ISP ports Fergie (Paul Ferguson) (Sep 14)