Did you make many changes to your system? The
rest is inline...
>>> Richard Mayhew <[EMAIL PROTECTED]> 9/1/00 11:02:48 PM >>>
>At 12:32 PM 00/09/01 -0400, you wrote:
>
>>Richard,
>>
>>I think I'm missing information, but let me see if
>>I can beat through this one. No promises.
>>
<snip>
>>What policy properties implied rules do you have checked
>>and position in rulebase(first, last, etc.)? Is 'Allow UDP
>>Replies' lit?
>Yup
>
>If I deselect some rules, Am I correct in say that one can see the implied
>rules added and removed. I dont see this at all.
>Which I find fishy? I removed some rules and nothing changed from the default.
To see the implied rules, view->implied rules. If you make
changes, I've noticed that you need to turn off showing
the implied rules and then back on to see them.
>> >when it came to doing any lookups on
>> >the firewall it wouldn't work as the pseudo rules had no effect. All
>> >traffic was still being denied, including DNS.
>>
>>FW-1 is really good at doing what it is told to do, and
>>your rule to block all traffic detined _to_ the fw is no
>>different.
>>
>>But I'll ask anyways. Blocked by what rule #(log)?
>>
>> >I then did some testing and
>> >found that the firewall was communicating on port 1031 UDP to the DNS
>> >servers. Which is not the standard 53 TCP/UDP. To get DNS lookups to work I
>> >had to add a rule
>> >
>> >DNS Servers firewall Service_1031_UDP accept
>> .............etc
>> >
>> >Can anyone explain this to me?
>>
>>Again, I'll assume(ack) you've placed this rule above the rule
>>that blocks traffic to the fw.
>
>yup
Where?
>Rules.
> Source Destination Service Policy
>
>1 Server1 firewall Any Accept
> Server2
>2 Any Firewall Any Drop
>3 Firewall Any Any Drop
>4 Rules Follow
>5 Any Any Any Drop
>>It's my understanding that the source port is dynamically
>>assigned, destined to port 53 on the remote system. the reply
>>will also be UDP, destined to the source port, from port 53.
>>
>>The reply will be UDP, not part of a connection(connectionless),
>>so the return packet is dropped. The implied rule 'Accept
>>DN Over UDP (Queries)' is for receiving a query, not a
>>reply(to my knowledge. But I've yet to test this...now
>>where's my huge list of things to check...)
>
>yes, as far as I last checked. Unfortunatly I had to shutdown my test
>firewall for the weekend as I am moving desks etc.
>On monday I will grab a few screen shots from my GUI and mail you them so
>that you can see all the configs.
>I was just under the impression that DNS would talk on port 53 UDP for
>queries, both ways.
If after verifying your configs and it still doesn't work, then
(Don't send graphics) give us the following.
Send a simple network layout with names & IP's(cleanup)
Setup your rulebase as your first post mentioned. Then
do a test. make sure logging implied rules is checked.
Send log info, implied rules view(just show the implied
rule name in the position of your rulebase - _Don't_
spend the time typing them all out)
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
