[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] NG AI and DNS drops
Edwin Davidson wrote: > > DNS servers on the LAN are NATTed for HIDE behind the > firewall's IP. DNS replies are sent to the firewall > because the external servers see the firewall's IP address > in the DNS request. Since this is UDP, there is one packet > from the internal DNS server -> FW1 -> external DNS server, then > there is a packet from external DNS server -> FW1 -> internal DNS. > > I am guessing the drops are due to UDP timeouts- but I am not sure > how to tell. I am not sure how to "dump the traffic." I can use > Ethereal, but what would I be looking for? The UDP reply packet > is probably fine. Does the Firewall send out another packet that > I can capture when it DROPS a UDP packet? I didn't think it did.? > > Or is there a better way to diagnose this? Before we worry about all of that, I think we need to be 100% clear on what you're seeing in the logs. What we know: This is DNS traffic, port 53/udp, destined for the firewall's external IP address, being dropped by your "stealth rule." What I want to be 100% on: Is 53/udp the _source_ or _destination_ port? If it is the source port, then yes, there may be something funny going on here. The first thing I'd do is go into the logs and find the corresponding outgoing log entry for the traffic. That is, find the log entry with the source IP as the destination, the source port as the destination, and the destination port as the source. How far apart are they? If 53/udp is the _destination_ port, then this has nothing to do with queries timing out or anything like that. These are the usual random probes or more likely, that hideous noise from lame load balancing software that all firewall admin have learned to love. (At least the load balancing software now carries a PTR lookup on the destination IP rather than the old version.bind lookup that would set off all of the IDSs.) -- Crist J. Clark [email protected] Globalstar CommunicationsThe information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [email protected] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|