[Gllug] IPSec
Ian Northeast
ian at house-from-hell.demon.co.uk
Wed Feb 13 20:45:11 UTC 2002
Simon Stewart wrote:
>
> On Wed, Feb 13, 2002 at 10:34:08AM +0000, will wrote:
> > Jonathan Dye wrote:
> > >>>>incoming UDP is blocked
> > >>>>
> > >>>How do they do DNS then?
> > >>>
> > >>>How do the replies get back from the DNS requests?
> > >>>
> > >>I would guess that the reply comes back in the same connection? As in,
> > >>you don't disconnect and the server which then attempts to make a
> > >>connection back to you?
> > >>
> > >
> > >UDP is connectionless!
> >
> > Oh yeah <hides>
>
> But some firewall products claim to do "stateful" UDP (IPFilter
> springs to mind) if memory serves.
Basically when a UDP packet goes out on an authorised connection, a
tunnel in the opposite direction is opened for a limited period of time
to allow the response back. Rather crude and theoretically possible to
exploit but it seems unlikely. I would definitely recommend using a
nameserver without any known vulnerabilities even for just sending
queries to the Internet.
We have Checkpoint Firewall-1 at work and this certainly appears to
work, my nameservers can make queries out but queries cannot be sent in
to them.
DNS will work over NAT too, that can give some protection.
Regards, Ian
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list