[lug] using tcpdump to emulate effects of packet dump

Jeffrey Siegal jbs at quiotix.com
Thu Jul 17 21:57:59 MDT 2003


D. Stimits wrote:
>> I'd run a local caching DNS server, and point your Windows machines at
>> that.  Then block all incoming packets to your Windows boxes from the
>> outside except non-SYN tcp packets.
> 
> Not possible, this is UDP, no such thing as SYN. Nor are they sending an 
> initial packet to the windows machine to see if it is there, they simple 
> flood a UDP spam into port 1026, connectionless. The only way to tell if 
> that is what it is (because it could be going to a linux machine) is by 
> the content of the packet.

Right, just block all UDP going to your Windows machines from the 
outside.  You don't need it.  There are some applications that use UDP 
over the Internet (media players mostly) but they all have TCP fallback 
because so many firewalls won't pass UDP anyway.

The purpose of the caching server is to allow DNS to work without having 
the Windows boxes doing the queries themselves.  They query the caching 
server, the caching server does the queries.  The filter *does* allow 
UDP to go to the caching server, which is safe because you're running a 
secure operating system (and DNS server there) there, not Windows.  Or 
you can configure it to do its outgoing DNS requests on port 53, and 
block the rest.  Either way.




More information about the LUG mailing list