[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Weird Activity
Sean
I don't think there's anything flawed in your rule. However, I personally do something a little different, but it has the same effect I suppose.
Src -> Internal DNS server Dest-> ISP DNS server Service-> Domain-UDP
My primary NT 4.0 DNS server only forwards DNS queries to my ISP's DNS servers.
It's my impression that most all Windows Operating Systems will resolve "localhost" to the loopback address. Atleast I know NT and 2K do that. If your desktops are using that localhost name is that necessary? Could they use a different hostname or is that not feasible? I'm assuming you do have a static entry on your DNS server that says:
localhost = RS/6000
And, just as Don has already asked, I'm curious about what IP address you saw in the cache for that entry.
>>> Sean Donaghey/HDGH <[email protected]> 06/27/02 02:21PM >>>
I have a rule in my firewall Src->Internal-Network Dest->Any
Service->domain-udp
Internal-Network group is comprised of all my networks inside of the
hospital.
I do not run any DNS service on the firewall. Firewall is on a Nokia IP440
box.
Thanks,
Sean P. Donaghey
Sr. Technical Analyst
H�tel-Dieu Grace Hospital
Windsor, Ontario Canada
Tel:Ext. 3717
Fax:Email: [email protected]
Larry Walden <[email protected]>
Sent by: Mailing list for To: [email protected]
discussion of Firewall-1 cc:
<[email protected] Subject: Re: [FW-1] Weird Activity
kpoint.com>
06/27/2002 01:58 PM
Please respond to Mailing list for
discussion of Firewall-1
Sean
I'm sure you'll get a lot of comments on your email. However, the first
thing I would ask is do you allow incoming TCP or UDP DNS through your
firewall? Also are you running a DNS Server service on your firewall?
>>> Sean Donaghey/HDGH <[email protected]> 06/27/02 01:26PM >>>
Hi,
We have been experiencing a weird thing with our DNS servers in our
network, and I was wondering if anyone would know if our firewall has been
penetrated or not.
What is happening is our DNS server (WinNT 4.0 SP6a) is getting a localhost
address record insert in the cache. This in turn royally screws up our
RS/6000 server, as they use the name localhost for the software they are
running. It happened yesterday, and it took awhile to find out the cause,
and when we did, we removed the offending entry, and then stopped, and
started the DNS server, so that the cache would be flushed completely. But
once again, just 5 minutes ago, it happened again.
Does anyone know if this is a result of a virus, trojan, or something else?
I have searched the firewall logs for any information, but cannot find
anything out.
Thanks,
Sean P. Donaghey
Sr. Technical Analyst
H�tel-Dieu Grace Hospital
Windsor, Ontario Canada
Tel:Ext. 3717
Fax:Email: [email protected]
The information contained in this email is confidential and protected by
law. The information is intended only for the person or organization
addressed in this email. If you share or copy the information you are
breaking the law. If you have received this email by mistake, please
delete it and notify the sender of the email by the telephone number listed
on this email.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
The information contained in this email is confidential and protected by
law. The information is intended only for the person or organization
addressed in this email. If you share or copy the information you are
breaking the law. If you have received this email by mistake, please
delete it and notify the sender of the email by the telephone number listed
on this email.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================