[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] stateful firewalling and clustering.
Yeah, create objects for each of their valid DNS servers. Put them in a GROUP object and define a rule to allow dns UDP only to be sourced from that group destined for your mailserver. You only need DNS TCP for zone transfers and that's probably best done with a DNS server in your DMZ. You should never allow zone transfers to your primary/secondary internal DNS servers from the outside EVER! -----Original Message----- From: [email protected] [mailto:[email protected]]On Behalf Of Langa Kentane Sent: Wednesday, January 10, 2001 8:53 AM To: Firewall-1 Mailing List (E-mail) Cc: Jim Morrisby Subject: [FW1] stateful firewalling and clustering. Greetings gurus. I have now discovered something else in connectio with a problem I was having. Yesterday I realised that some machine from our ISP [machine A] was sending us packets that were getting droped by the firewall originating from port 80 and going to ports ranging from 34000 to 37. At first I thought it was a port scan being done on the firewall. Then I thought it was time-out backward connections being blocked so I increased the UDP time out. The packets were going to our mail server and direct to the firewall. Now the mail server has both a legal and illegal address [using static source/dest NAT]. After digging thru the log files some more, I realised that our mail server was doing DNS queries to machine B. The secondary DNS server for the our mail server is machine B. Turns out that our ISP has a DNS server cluster. Machine B being the virtual/primary [whatever] address for the DNS cluster. Now what happens is that when our mail server does a DNS query to machine B, machine A answers the query and because machine A does not have a valid connection in the state table, the packets are being dropped. Now, how do I get around this problem?? Is it possible to fix this?? __________________________________________________________ Langa Kentane | TEL:Security Administrator | Cell:DISCOVERY HEALTH | http://www.discoveryhealth.co.za __________________________________________________________________ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|