Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] stateful firewalling and clustering.

To: "Langa Kentane" <[email protected]>, <[email protected]>
Subject: RE: [FW1] stateful firewalling and clustering.
From: [email protected] (Carl E. Mankinen)
Date: Wed, 10 Jan 2001 22:46:17 -0500
Importance: Normal
In-reply-to: <A69BC9CA4B39D411BF2200105A45B45B075B8BF9@dhexchange.discoveryhealth.co.za>
Sender: [email protected]

Yeah, create objects for each of their valid DNS servers.
Put them in a GROUP object and define a rule to allow dns UDP
only to be sourced from that group destined for your mailserver.

You only need DNS TCP for zone transfers and that's probably best
done with a DNS server in your DMZ. You should never allow zone
transfers to your primary/secondary internal DNS servers from the
outside EVER!

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Langa Kentane
Sent: Wednesday, January 10, 2001 8:53 AM
To: Firewall-1 Mailing List (E-mail)
Cc: Jim Morrisby
Subject: [FW1] stateful firewalling and clustering.



Greetings gurus.

I have now discovered something else in connectio with a problem I was
having.  Yesterday I realised that some machine from our ISP [machine A] was
sending us packets that were getting droped by the firewall originating from
port 80 and going to ports ranging from 34000 to 37.  At first I thought
it was a port scan being done on the firewall.  Then I thought it was
time-out backward connections being blocked so I increased the UDP time out.
The packets were going to our mail server and direct to the firewall.

Now the mail server has both a legal and illegal address [using static
source/dest NAT].  After digging thru the log files some more, I realised
that our mail server was doing DNS queries to machine B.  The secondary DNS
server for the our mail server is machine B.

Turns out that our ISP has a DNS server cluster.  Machine B being the
virtual/primary [whatever] address for the DNS cluster.  Now what happens is
that when our mail server does a DNS query to machine B, machine A answers
the query and because machine A does not have a valid connection in the
state table, the packets are being dropped.

Now, how do I get around this problem??  Is it possible to fix this??

__________________________________________________________
Langa Kentane		| TEL:Security Administrator	| Cell:DISCOVERY HEALTH		| http://www.discoveryhealth.co.za
__________________________________________________________________



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] stateful firewalling and clustering.
  - From: Langa Kentane <[email protected]>

Prev by Date: RE: [FW1] CheckPoint/Nokia Appliance HD Size?
Next by Date: RE: [FW1] Reverse socket proxying... (wait for it) FTP thru FW1
Previous by thread: Re: [FW1] stateful firewalling and clustering.
Next by thread: [FW1] RE: stateful firewalling and clustering.
Index(es):
- Date
- Thread