Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PCI Compliance Port 53

    Firewalling
    3
    3
    4801
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kcnz
      last edited by

      I had a pci scan done through hackerguardian.com and it did not pass pci compliance due to:

      UDP packets with source port of 53 bypass firewall rules

      Further Explanation:

      "Urgent"
      Synopsis :
      Firewall rulesets can be bypassed.
      Description :
      It is possible to bypass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
      An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.

      and a link

      http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0352.html

      I have no open ports other then openvpn which is running on pfsense.

      How do I eliminate this? I tried blocking the port specifically and it still failed..

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I'm not sure why that came back, but it's really a false positive. If you read the notice, it's for "UDP bypassing in Kerio Firewall" - and seeing as this is not Kerio Firewall, it's likely irrelevant. Such a rule does not exist on pfSense anyhow, not by default.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          sdamron
          last edited by

          You do not fail PCI compliance for having an open port on your firewall.  Port 53 is DNS, and if you run your own DNS servers, you must have this port open inbound.  You need a real PCI assessment, not some free automated scan.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post