Firewall Wizards mailing list archives

Allowing DNS servers to operate behind NetScreen 500

From: "Gebhart, Glenn" <GGebhart () chartercom com>
Date: Mon, 3 Feb 2003 12:23:19 -0600

All -

I have several DNS servers situated behind a NetScreen 500. As currently configured, the servers are able to send 
outbound resolution requests, but inbound resolution replies appear to be getting blocked by the firewall. 

The best solution I've been able to find so far is to allow all incoming UDP traffic to the DNS servers w/ source port 
53 and dest port > 1024. For fairly obvious reasons I'd prefer not to implement such a broad rule. 

Does anyone have a better suggestion? Ideally I'd like something akin to UDP connection tracking, where an outgoing DNS 
request installs a time-limited rule which allows the reply to traverse the firewall in the opposite direction.

Any help is greatly appreciated.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
  - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
    - Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
    - Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)

(Thread continues...)