PCI Compliance Port 53
-
I had a pci scan done through hackerguardian.com and it did not pass pci compliance due to:
UDP packets with source port of 53 bypass firewall rules
Further Explanation:
"Urgent"
Synopsis :
Firewall rulesets can be bypassed.
Description :
It is possible to bypass the rules of the remote firewall by sending UDP packets with a source port equal to 53.
An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall.and a link
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0352.html
I have no open ports other then openvpn which is running on pfsense.
How do I eliminate this? I tried blocking the port specifically and it still failed..
-
I'm not sure why that came back, but it's really a false positive. If you read the notice, it's for "UDP bypassing in Kerio Firewall" - and seeing as this is not Kerio Firewall, it's likely irrelevant. Such a rule does not exist on pfSense anyhow, not by default.
-
You do not fail PCI compliance for having an open port on your firewall. Port 53 is DNS, and if you run your own DNS servers, you must have this port open inbound. You need a real PCI assessment, not some free automated scan.