04-19-2017 02:53 AM - edited 03-12-2019 02:14 AM
Hi guys,
i have an issue with my config and probably not understand the whole thing right. Perhaps someone is able to open my eyes .. Thanks in advance :
So what is exactly the issue?
I have a router 2821 and firewall active . Also i have an acl for outgoing traffic on Dialer Interface "ip access group 200 in " where i allow
access-list 200 permit udp any eq domain any
also "ip inspect Firewall out " for tcp , udp, ftp
ok. Everything works fine as i have "ip dns server" globally enabled (as like a proxy for my internal net)
But now the issue seems that my port 53 udp is open and everyone ( isp said this) could use this DNS for some attacks and so on.
If i disable the dns service - my internal network is not able to resolving anymore and sucks.
So how it should work that everything which is need going out is working but in generally the port 53 udp is closed from outside?
thanks for help
04-19-2017 07:56 AM
Your mentioned ACL-line is for allowing return-traffic for queries that are initiated from inside. This line also allows DNS-queries from the internet into your network/to your router. But as you are running a statefull firewall (ip inspect), you don't need these ACL-lines.
Can you show your complete dialer- and ACL/inspect-config to decide how to optimize that?
04-19-2017 08:52 AM
Hello Karsten,
thanks..here we go : Meanwhile i read with dns view group and implemented that ..but that was after writing here and testing--port is still open in udp 53. Thats what i want to stop - nothing should be open for anyone outside .
greets
ip inspect name xx tcp
ip inspect name xx udp
ip inspect name xx ftp
interface Dialer0
description VDSL Einwahl Interface
ip address negotiated
ip access-group 200 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect xx out
ip dns view-group dv1_secure-dns-proxy
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
login isp data
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable
Extended IP access list 200
10 permit icmp any any administratively-prohibited
20 permit icmp any any echo-reply
30 permit icmp any any packet-too-big
40 permit icmp any any time-exceeded
50 permit icmp any any unreachable
60 permit udp any eq domain any
65 permit tcp any eq domain any
70 permit udp any eq 5060 any
79 permit udp host 130.149.17.8 eq ntp any
80 permit udp host 192.53.103.104 eq ntp any
90 permit igmp host IPTV any
100 permit icmp host IPTV any
110 permit igmp any 224.0.0.0 15.255.255.255
120 permit udp any gt 40000 any
130 deny ip any any (1845 matches)
04-19-2017 09:01 AM
ok, here are some changes to the firewall-setup:
ip inspect name xx tcp router-traffic
ip inspect name xx tcp router-traffic
ip inspect name xx icmp router-traffic
ip inspect name xx ftp
With that you also inspect icmp (for pinging) and inspect traffic that is router-generated. With that you can remove the following lines from the ACL 200:
20 permit icmp any any echo-reply
60 permit udp any eq domain any
65 permit tcp any eq domain any
70 permit udp any eq 5060 any
79 permit udp host 130.149.17.8 eq ntp any
80 permit udp host 192.53.103.104 eq ntp any
And I assume that the following line can also be remove:
120 permit udp any gt 40000 any
04-20-2017 07:30 AM
Hi Karsten,
thanks a lot. I will check that..but let my ask please to understand :
As i will change it from example tcp to tcp router-traffic as you mentioned or udp to udp router-traffic ..is then really the whole traffic under inspection or only the traffic which the router generates itself as a dns request (in my way) ? Thats a point where i havent understand yet. could you be so kind to verify or explain again? The difference between
normal ip inspect name xx tcp and :
ip inspect name xx tcp router-traffic
Thanks in advance
Regards
Cyb
04-20-2017 10:00 AM
ip inspect name xx tcp
The router will only inspect traffic that flows *through* the router, but not traffic that is generated by the router.
ip inspect name xx tcp router-traffic
The router will inspect both traffic that flows through the router *and* traffic that is generated by the router.
BTW: cyberurmel ... the friend of cyberwawa?
EDIT: corrected syntax ... ;-)
04-20-2017 10:00 AM
Hello Karsten ,,
thanks a lot..
but in your explanation you wrote the same syntax :) could you be so kind to adjust that for understanding??
That would be great..
As i changed that for udp to udp router-traffic ..the port 53 udp is still open .. is this a risk for attackers or did i something wrong ? I got a information from ISP with open 53 port so i should be save to that.
Thanks
No, sorry cyberwawa is not known by me.
greets
Cyb
04-20-2017 10:08 AM
(syntax corrected)
Have you removed the ACL-lines that allowed the DNS-traffic in? That also needs to be done.
04-20-2017 01:06 PM
Hi Karsten,
thanks again. Yes i removed all domain relevated out of acl. Nevertheless at this site https://support.nightlydev.org/tcp-udp-port-scan
my port 53 is open for udp ?? TCP is closed.
i am just a bit confused why ....
Best Regards
Cyb
04-20-2017 02:02 PM
Can you show the resulting config?
And you activated your DNS-view on the dialer. Typically these are used on the interface where the DNS-querie originates which is typically a LAN-interface.
04-21-2017 06:52 AM
Hi Karsten,
here my config due to the topic:
ip inspect name xx tcp
ip inspect name xx udp router-traffic
ip inspect name xx ftp
interface Dialer0
description VDSL Einwahl Interface
ip address negotiated
ip access-group 200 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip inspect xx out
ip dns view-group dv1_secure-dns-proxy
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
login ISP
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable
access-list 200 permit icmp any any administratively-prohibited
access-list 200 permit icmp any any echo-reply
access-list 200 permit icmp any any packet-too-big
access-list 200 permit icmp any any time-exceeded
access-list 200 permit icmp any any unreachable
access-list 200 permit udp any eq 5060 any
access-list 200 permit udp host 130.149.17.8 eq ntp any
access-list 200 permit udp host 192.53.103.104 eq ntp any
access-list 200 permit igmp host 10.246.63.254 any
access-list 200 permit icmp host 10.246.63.254 any
access-list 200 permit igmp any 224.0.0.0 15.255.255.255
access-list 200 permit udp any gt 40000 any
access-list 200 deny ip any any
What exactly do you mean with the DNS view.. ? Do you think its wrong on the Dialer as its should be to the interface to my LAN?
Get another info from ISP due to open port 53.. How can i close this for incoming requests?
Thanks a lot for your help
greets
04-21-2017 07:39 AM
With the stateful firewall in place you don't need the following rules any more:
access-list 200 permit icmp any any echo-reply
access-list 200 permit udp any eq 5060 any
access-list 200 permit udp host 130.149.17.8 eq ntp any
access-list 200 permit udp host 192.53.103.104 eq ntp any
access-list 200 permit igmp host 10.246.63.254 any
access-list 200 permit icmp host 10.246.63.254 any
access-list 200 permit igmp any 224.0.0.0 15.255.255.255
This one could also be related to incoming DNS as it allows any UDP with source-port greater 40000:
access-list 200 permit udp any gt 40000 any
Perhaps it's also this line on the dialer that causes the problem:
ip dns view-group dv1_secure-dns-proxy
I have never used it that way and assume that it could have side-affects. Try removing it also.
04-22-2017 03:25 AM
Hi Karsten,
i deleated all relevant now . Dialer the dns view and almost everything in my acl 200.
But by testing the port 53 udp :
53/udp open|filtered domain
how i can be sure for 100 % that the dns is not responding to requests from outside?? I dont want to get letters from lawyers that my ip is responsible for ddos or something like that.
Thanks a lot for your help.
greets
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide