Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: commonly blocked ISP ports

  • From: John Kristoff
  • Date: Thu Sep 15 15:22:41 2005

On Thu, 15 Sep 2005 10:29:27 +0300
Kim Onnel <karim.adel@gmail.com> wrote:

> 80 deny udp any any eq 1026 (3481591 matches)

If you don't already know, it might be worth looking at a detailed
breakdown of the source ports hitting that rule.  It may be blocking
a good amount of DNS and NTP traffic for instance.  If that is the
case, what you may find an acceptable alternative is to preface it
with rules like this so at at least your recursive DNS servers will
not have to maintain the recursive query in memory until it times out
and your time servers don't miss a poll:

  permit udp any eq 53 host [recursive-dns-server-address] eq 1026
  permit udp any eq 123 host [time-server-address] eq 1026

If a larger population of hosts are doing DNS then you'll have to
decide whether or how to open it further or accept occasional
failures.

Note, in my experience, many of the Windows-based worms tend to use
a source port > 1023, so while this opens an even bigger hole, you
could allow through all src ports < 1024, which should create less
breakage.  You filtering policy and security stance may not permit
the trade-off of course, but it's another option I've seen used.

John




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.