Re: [FW1] Wierd Port Problem

Fri, 01 Sep 2000 09:35:48 -0700 


Richard,

I think I'm missing information, but let me see if
I can beat through this one. No promises.

Are your requests originating from* the fw or a client
behind the fw? What/where are the 'DNS Servers'?

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> Richard Mayhew <[EMAIL PROTECTED]> 9/1/00 2:02:44 AM >>>
>I found a very weird problem.
>I am using Firewall-1 v4.1 Linux(Standard Installation)
>
>I first of all denied all traffic to the firewall, but allowed any traffic 
>from the firewall (testing) hoping that the pseudo rules would allow DNS 
>through (they were activated)

I'll assume(ack) that 'allowed any traffic from the firewall'
was via the policy property 'Allow outgoing conn...".

What policy properties implied rules do you have checked
and position in rulebase(first, last, etc.)? Is 'Allow UDP
Replies' lit?

>when it came to doing any lookups on 
>the firewall it wouldn't work as the pseudo rules had no effect. All 
>traffic was still being denied, including DNS.

FW-1 is really good at doing what it is told to do, and
your rule to block all traffic detined _to_ the fw is no
different.

But I'll ask anyways. Blocked by what rule #(log)?

>I then did some testing and 
>found that the firewall was communicating on port 1031 UDP to the DNS 
>servers. Which is not the standard 53 TCP/UDP. To get DNS lookups to work I 
>had to add a rule
>
>DNS Servers    firewall        Service_1031_UDP        accept .............etc
>
>Can anyone explain this to me?

Again, I'll assume(ack) you've placed this rule above the rule
that blocks traffic to the fw.

It's my understanding that the source port is dynamically
assigned, destined to port 53 on the remote system. the reply
will also be UDP, destined to the source port, from port 53.

The reply will be UDP, not part of a connection(connectionless),
so the return packet is dropped. The implied rule 'Accept
DN Over UDP (Queries)' is for receiving a query, not a
reply(to my knowledge. But I've yet to test this...now
where's my huge list of things to check...)

See the following for some additional info:
http://www.phoneboy.com/fw1/faq/0193.html 

I'm sure others will gently fix/clearify any mistakes I've made.

Robert

>Thanks
>
>Richard Mayhew




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to