From: kpalmer (kip.palmer@xxxxxxxxxxx)
Date: Sat Jul 13 2002 - 09:49:10 GMT-3
For anyone who cares, here's a tested dns filter.
What a moment of incompetence? I mean, I've worked with
PIX on a daily basis and have set my share of perimeter
ACL's. But get me on my home network and all bets are off.
Actually, I think the PIX runs a fixup protocol on DNS, like
FTP,SMTP,etc.
Maybe that's why I drew a blank. Still no excuse.
access-list 105 permit tcp any x.x.0.0 0.0.y.x established
access-list 105 permit udp [x.x.x.0 0.0.0.255] eq 53 [x.x.x.0 0.0.0.255]
gt 1023 log
dns servers inside subnets
Log it to test it.
interface serial 1
ip access-group 105 in
Kip Palmer
kip.palmer@verizon.net
909.374.6865 cell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Privacy Notice:
This message is intended only for the use of the individual or entity to
whom it is addressed and may contain information that is privileged,
confidential, or exempt from disclosure under applicable federal or
state law. If the reader of this message is not the intended recipient
or the employee or agents responsible for delivering the message to the
intended recipient you are hereby notified that any dissemination,
distribution, or copying of this message is strictly prohibited. If you
have received this communication in error, please return to:
<mailto:kip.palmer@verizon.net> kip.palmer@verizon.net. THANK YOU!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:28 GMT-3