At 12:32 PM 00/09/01 -0400, you wrote:
>Richard,
>
>I think I'm missing information, but let me see if
>I can beat through this one. No promises.
>
>Are your requests originating from* the fw or a client
>behind the fw? What/where are the 'DNS Servers'?
I have only 1 interface on the firewall, as I am just testing and getting
familiar with the new version of Firewall-1. We currently
are running 4.0 SP7. I have the same rules and psuedo rules as my current
firewall (except the majroity of rules) I have basically the following.
Rules.
Source Destination Service Policy
1 Server1 firewall Any Accept
Server2
2 Any Firewall Any Drop
3 Firewall Any Any Drop
4 Rules Follow
5 Any Any Any Drop
>- -
>Robert P. MacDonald, Network Engineer
>e-Business Infrastructure
>G o r d o n F o o d S e r v i c e
>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
> >>> Richard Mayhew <[EMAIL PROTECTED]> 9/1/00 2:02:44 AM >>>
> >I found a very weird problem.
> >I am using Firewall-1 v4.1 Linux(Standard Installation)
> >
> >I first of all denied all traffic to the firewall, but allowed any traffic
> >from the firewall (testing) hoping that the pseudo rules would allow DNS
> >through (they were activated)
>
>I'll assume(ack) that 'allowed any traffic from the firewall'
>was via the policy property 'Allow outgoing conn...".
was enabled
>What policy properties implied rules do you have checked
>and position in rulebase(first, last, etc.)? Is 'Allow UDP
>Replies' lit?
Yup
If I deselect some rules, Am I correct in say that one can see the implied
rules added and removed. I dont see this at all.
Which I find fishy? I removed some rules and nothing changed from the default.
> >when it came to doing any lookups on
> >the firewall it wouldn't work as the pseudo rules had no effect. All
> >traffic was still being denied, including DNS.
>
>FW-1 is really good at doing what it is told to do, and
>your rule to block all traffic detined _to_ the fw is no
>different.
>
>But I'll ask anyways. Blocked by what rule #(log)?
>
> >I then did some testing and
> >found that the firewall was communicating on port 1031 UDP to the DNS
> >servers. Which is not the standard 53 TCP/UDP. To get DNS lookups to work I
> >had to add a rule
> >
> >DNS Servers firewall Service_1031_UDP accept
> .............etc
> >
> >Can anyone explain this to me?
>
>Again, I'll assume(ack) you've placed this rule above the rule
>that blocks traffic to the fw.
yup
>It's my understanding that the source port is dynamically
>assigned, destined to port 53 on the remote system. the reply
>will also be UDP, destined to the source port, from port 53.
>
>The reply will be UDP, not part of a connection(connectionless),
>so the return packet is dropped. The implied rule 'Accept
>DN Over UDP (Queries)' is for receiving a query, not a
>reply(to my knowledge. But I've yet to test this...now
>where's my huge list of things to check...)
yes, as far as I last checked. Unfortunatly I had to shutdown my test
firewall for the weekend as I am moving desks etc.
On monday I will grab a few screen shots from my GUI and mail you them so
that you can see all the configs.
I was just under the impression that DNS would talk on port 53 UDP for
queries, both ways.
>See the following for some additional info:
>http://www.phoneboy.com/fw1/faq/0193.html
>
>I'm sure others will gently fix/clearify any mistakes I've made.
>
>Robert
>
> >Thanks
> >
> >Richard Mayhew
>
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
