# "Firewall UDP Packet Source Port 53 Ruleset Bypass"



## fantasygoat (Dec 14, 2009)

My client is running some automated scanning tools on his website and it's returning this error.  I'd like to know what ipfw rule I should put in place to block port 53 sourced packets.

Here's the rules we have now:


```
# Sockets that were allowed to be set up should be passed through
# quickly
add 01000 allow tcp from any to any established

# Open UDP services
add 03000 allow udp from any to any domain,ntalk,ntp
add 03000 allow udp from any domain,ntalk,ntp to any
add 03500 allow udp from any to any frag

# Open TCP services
add 04000 allow tcp from any to any http,https
add 04000 allow tcp from any to any smtp,domain,ntalk
add 04000 allow tcp from any to any auth

# Open ICMP services (required for normal networking)
add 05000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14

# Safety net
add 10000 deny all from any to any
```


----------



## DutchDaemon (Dec 14, 2009)

```
add 03000 allow udp [B]from any domain[/B],ntalk,ntp to any
```

This rule allows incoming and outgoing packets from source port udp/53. Most modern nameservers use a random high source port nowadays, so this rule is most likely no longer necessary.


----------



## J65nko (Dec 15, 2009)

Tcpdump fragment of a outgoing DNS query 

```
192.168.222.244.31233 > 94.142.245.224.53:  12061%
```

The answer
	
	



```
94.142.245.224.53 > 192.168.222.244.31233:  12061*
```
Usually blocking incoming replies to DNS queries sent is not a good idea 

I haven't used ipfw for several years, but AFAIK it supports stateful filtering. Just wondering why you are not using that.


----------



## DutchDaemon (Dec 15, 2009)

I hadn't even _considered_ anyone not using stateful filtering nowadays ...


----------

