This is a rather old post

zillah2004 · ‎09-29-2005

If I want to write an access list (inbound)on a router to prevent users on the Ethernet LAN connected to e0 from accessing a TFTP server (10.1.1.15) located on the LAN connected to e1.

The extended access list on the Ethernet interface e0 (inbound), will be:

Access-list 101 deny udp (not tcp) 0.0.0.0 255.255.255.255 10.1.1.15 0.0.0.0 eq 69

Access-list 101 permit ip any any.

Do I need to add this line as well to the deny statement above?

Access-list 101 deny tcp (not udp) 0.0.0.0 255.255.255.255 10.1.1.15 0.0.0.0 eq 69

See the link below for that.

Under : “The following incoming access list will block these ports on your router”:

http://www.ibiblio.org/security/articles/ports.html

Harold Ritter · ‎09-29-2005

TFTP is udp based so there is no need for the deny tcp statement.

Let me know if I answered your question,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

zillah2004 · ‎09-29-2005

Thanks hritter

Could you please comment the link that I sent, because it has used udp as well as tcp!!!.

I have read a question for CCIE written preparation and they had used the udp and tcp as well.

Harold Ritter · ‎09-29-2005

I think the document you included blindly denies both TCP and UDP ports for all protocols as defined in the following document:

http://www.iana.org/assignments/port-numbers

You see for instance protocols such as FTP and telnet reserve both TCP and UDP ports but are currently only implemented using TCP.

There is no implementation of TFTP using TCP port 69 that I know of. Specifying both UDP and TCP for TFTP in your ACL doesn't make a big difference if you only block a couple of protocols but could easily become a nightmare as your ACL grows.

Let me know if I answered your question,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

zillah2004 · ‎11-01-2005

((There is no implementation of TFTP using TCP port 69 that I know of.))

Do not you think the above is similar to one of the configuration that I found it in the Cisco Lab about DNS server:

Vista(config)# access-list 112 permit udp any host 172.16.1.2 eq domain.

Vista(config)# access-list 112 permit tcp any host 172.16.1.2 eq 53.

As you can see that for the DNS server in the first row he used udp and in the second row he used tcp ?

bellocarico · ‎11-01-2005

zillah2004, I think your example is different, as DNS works on UDP for client queries and TCP for zone transfert between servers.

So it uses the same port, but has got different function on different layer 4 protocol.

Regards

zillah2004 · ‎11-01-2005

Thanks for that

zillah2004 · ‎01-31-2006

((as DNS works on UDP for client queries and TCP for zone transfert between servers)).

Does it make any difference if the explaination syas:

(( Use the following

a- protocol udp to allow hosts to use the server for lookup requests on port 53.

b- protocol tcp to allow zone transfer on port 53 {my understanding is form server to client , not between servers} ))

mdella000 · ‎10-08-2015

This is a rather old post however it keeps coming up in google so just in case someone else was wondering...

DNS port 53 (udp) is for a client to query a server. This is the standard method of pulling down a single query from a DNS server and is by far the most commonly used form of DNS

DNS port 53 (tcp) is used for server-to-server communications (typ) when one server is requesting a zone transfer of the entire zone. Typically this is seen from slave servers to their masters (or hidden masters depending on how the org is set up).

Note that (tcp) is typically denied with a white list of servers that are allowed to make queries whereas (udp) is typically allowed with potentially a black list of servers that are "bad guys".

TFTP server and port 69 UDP or TCP or Both