[lug] using tcpdump to emulate effects of packet dump
Jeffrey Siegal
jbs at quiotix.com
Thu Jul 17 21:57:59 MDT 2003
D. Stimits wrote:
>> I'd run a local caching DNS server, and point your Windows machines at
>> that. Then block all incoming packets to your Windows boxes from the
>> outside except non-SYN tcp packets.
>
> Not possible, this is UDP, no such thing as SYN. Nor are they sending an
> initial packet to the windows machine to see if it is there, they simple
> flood a UDP spam into port 1026, connectionless. The only way to tell if
> that is what it is (because it could be going to a linux machine) is by
> the content of the packet.
Right, just block all UDP going to your Windows machines from the
outside. You don't need it. There are some applications that use UDP
over the Internet (media players mostly) but they all have TCP fallback
because so many firewalls won't pass UDP anyway.
The purpose of the caching server is to allow DNS to work without having
the Windows boxes doing the queries themselves. They query the caching
server, the caching server does the queries. The filter *does* allow
UDP to go to the caching server, which is safe because you're running a
secure operating system (and DNS server there) there, not Windows. Or
you can configure it to do its outgoing DNS requests on port 53, and
block the rest. Either way.
More information about the LUG
mailing list