I just read this message by Mark Andrews on the BIND mailing list. It explains the possible issues with DNSSEC and over-protective firewalls, giving test-commands to verify your setup. This post is also interesting for regular DNS traffic, since a firewall doesn’t know the difference.
Posts tagged ‘firewall’
In Belgium, there are 2 major ISPs: Telenet and Belgacom (Skynet). None of them allows you to run servers on your home DSL connection, but only Telenet enforced this by simply blocking all incoming TCP requests on the low ports.
I regularly connect to my home server over SSH from all over the world to access my files, mail, photos, …. Since not every network I encounter allows outgoing 22/TCP connections, I also listen on 80/TCP and 443/TCP for SSH connections. This setting allowed me to connect home from pretty much every network.
However, since somewhere this weekend, Belgacom started to filter incomming connections. My last successful attempt was around 2009-10-31T00:10+0100. When trying this again today around 16:00+0100, the connection was filtered. Contrary to Telenet, Belgacom has the decency to reply with an “ICMP Administratively Prohibited” message. A quick port-scan showed that the following ports are being filtered:
- 23/tcp (telnet)
- 80/tcp (http)
- 443/tcp (https)
- 992/tcp (telnets)
- 8023/tcp (unknown)
- 8085/tcp (unknown)
- 8443/tcp (https-alt)
Connecting to home has just become more difficult… Guess I’ll start using IP over DNS…
Update 2009-11-03
Found another blog describing this issue (in Dutch). Rumor has it that Belgacom will offer an opt-out of this filtering.
Update 2009-11-11
The filtering of port 23, 80 and 443 can be disabled by surfing to the Belgacom e-service site and opting for “Basic Security” under “mijn internet – mijn opties”.
When doing some research on the different tables in iptables, I was trying to figure out in what order what tables are traversed. Obviously PREROUTING happens before POSTROUTING, but it becomes more difficult to figure out if mangle happens before are after nat.
I found a post which links to this overview:
