PCI Compliance Port 53



  • I had a pci scan done through hackerguardian.com and it did not pass pci compliance due to:

    UDP packets with source port of 53 bypass firewall rules

    Further Explanation:

    "Urgent"
    Synopsis :
    Firewall rulesets can be bypassed.
    Description :
    It is possible to bypass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
    An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.

    and a link

    http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0352.html

    I have no open ports other then openvpn which is running on pfsense.

    How do I eliminate this? I tried blocking the port specifically and it still failed..


  • Rebel Alliance Developer Netgate

    I'm not sure why that came back, but it's really a false positive. If you read the notice, it's for "UDP bypassing in Kerio Firewall" - and seeing as this is not Kerio Firewall, it's likely irrelevant. Such a rule does not exist on pfSense anyhow, not by default.



  • You do not fail PCI compliance for having an open port on your firewall.  Port 53 is DNS, and if you run your own DNS servers, you must have this port open inbound.  You need a real PCI assessment, not some free automated scan.


Log in to reply