[Courses] [Security] Firewall theory -- general (fwd)
hobbit at aloss.ukuu.org.uk
hobbit at aloss.ukuu.org.uk
Wed Mar 13 21:04:47 EST 2002
On Wed, Mar 13, 2002 at 02:08:22PM -0500 or thereabouts, coldfire wrote:
> > Norton Internet Security has the "clever" idea of blocking UDP
> > packets. Such as DNS lookups and responses.
>
> to be *really* persnicketty :) .. DNS has the capability to operate over
> tcp and udp ... however, for the typical lookups most hosts use, it only
> utilizes udp. tcp is usually used for things like zone transfers, etc.
> (over port 53, tcp).
Our firewall drops UDP. All of it. There is some complicated thing
to do with letting DNS queries work. It can be done, but I'd have
to go and investigate to find out how. For all I know, it was
"ask person who runs nameserver to do TCP too".
Other things dropping UDP gives (or loses) you:
* Need to use something called "passive mode" in ftp.
* /dcc doesn't work in IRC.
* Lots of the IM clients don't work.
* Networked quake won't work (there's a complicated HOWTO
about this).
* Can't use ntp (network time protocol) to get precise time
from other machines.
I manage quite happily with all this, but none of these were things
I used, except ftp. And most intelligent ftp clients understand
passive mode anyway.
Hmm. At least I presume these are all due to dropping UDP. If I am
wrong, do let me know.
Telsa
More information about the Courses
mailing list