Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] NG AI and DNS drops

To: [email protected]
Subject: Re: [FW-1] NG AI and DNS drops
From: Crist Clark <[email protected]>
Date: Thu, 31 Jul 2003 10:55:43 -0700
Comments: To: Edwin Davidson <[email protected]>
Organization: Globalstar Communications
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Edwin Davidson wrote:
>
> DNS servers on the LAN are NATTed for HIDE behind the
> firewall's IP.   DNS replies are sent to the firewall
> because the external servers see the firewall's IP address
> in the DNS request.  Since this is UDP, there is one packet
> from the internal DNS server -> FW1 -> external DNS server, then
> there is a packet from external DNS server -> FW1 -> internal DNS.
>
> I am guessing the drops are due to UDP timeouts- but I am not sure
> how to tell.  I am not sure how to "dump the traffic."  I can use
> Ethereal, but what would I be looking for? The UDP reply packet
> is probably fine.  Does the Firewall send out another packet that
> I can capture when it DROPS a UDP packet?  I didn't think it did.?
>
> Or is there a better way to diagnose this?

Before we worry about all of that, I think we need to be 100% clear on
what you're seeing in the logs.

What we know:

This is DNS traffic, port 53/udp, destined for the firewall's external
IP address, being dropped by your "stealth rule."

What I want to be 100% on:

Is 53/udp the _source_ or _destination_ port? If it is the source port,
then yes, there may be something funny going on here. The first thing
I'd do is go into the logs and find the corresponding outgoing log entry
for the traffic. That is, find the log entry with the source IP as the
destination, the source port as the destination, and the destination port
as the source. How far apart are they?

If 53/udp is the _destination_ port, then this has nothing to do with
queries timing out or anything like that. These are the usual random
probes or more likely, that hideous noise from lame load balancing
software that all firewall admin have learned to love. (At least the
load balancing software now carries a PTR lookup on the destination IP
rather than the old version.bind lookup that would set off all of the
IDSs.)
--
Crist J. Clark                               [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact [email protected]

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] NG AI and DNS drops
  - From: Edwin Davidson <[email protected]>

References:
- Re: [FW-1] NG AI and DNS drops
  - From: Edwin Davidson <[email protected]>

Prev by Date: Re: [FW-1] Management NG AI - Module 4.1
Next by Date: [FW-1] secureremote docs?
Previous by thread: Re: [FW-1] NG AI and DNS drops
Next by thread: Re: [FW-1] NG AI and DNS drops
Index(es):
- Date
- Thread