On Tue, 2004-05-11 at 09:45, Peter Marshall wrote: > Which is better (to drop or reject packets)? I am asking more > specifically for connections from the internet to my external > firewall. Depends. I like rejecting with host-unreachables as it makes it look like you do not have a firewall. It also has the ability to shut down certain scanning tools before they can find exposed ports. Some worry this could be a potential DoS situation. If you are worried about this you can combine it with rate limiting. > My second question is if I have a DNS in my DMZ (contains only ip's in > my dmz. internal boxes use this as their DNS. This DNS falls back to > my ISP), do I have to allow both TCP and UDP connections on port 53 ? > Can I not just have UDP, or does it use both ? Again, it depends. Queries use UDP/53 _unless_ the answer exceeds a 512 byte packet size. If it does, the connection can switch over to TCP/53. So, outbound you need TCP and UDP. Inbound to your DNS server, it depends if you answers will exceed this maximum. If not, you only need to permit UDP/53 from the Internet in general, and TCP/53 only from servers (if any) that are acting as secondaries. HTH, Chris
