On Thu, 15 Sep 2005 10:29:27 +0300 Kim Onnel <karim.adel@gmail.com> wrote:
80 deny udp any any eq 1026 (3481591 matches)
If you don't already know, it might be worth looking at a detailed breakdown of the source ports hitting that rule. It may be blocking a good amount of DNS and NTP traffic for instance. If that is the case, what you may find an acceptable alternative is to preface it with rules like this so at at least your recursive DNS servers will not have to maintain the recursive query in memory until it times out and your time servers don't miss a poll: permit udp any eq 53 host [recursive-dns-server-address] eq 1026 permit udp any eq 123 host [time-server-address] eq 1026 If a larger population of hosts are doing DNS then you'll have to decide whether or how to open it further or accept occasional failures. Note, in my experience, many of the Windows-based worms tend to use a source port > 1023, so while this opens an even bigger hole, you could allow through all src ports < 1024, which should create less breakage. You filtering policy and security stance may not permit the trade-off of course, but it's another option I've seen used. John