But then again, in this case, since this is UDP, and there are no syn packets, it should be able to send the replies thru the firewall if the ports are open. But it would be silly and very insecure to open those ports just for UDP replies. I have contacted my ISP and they allow me to connect directly to one of the DNS servers in the cluster. Thanks to all that replied to my [many] previous mails > -----Original Message----- > From: Langa Kentane > Sent: 10 January 2001 15:53 > To: Firewall-1 Mailing List (E-mail) > Cc: Jim Morrisby > Subject: stateful firewalling and clustering. > > Greetings gurus. > > I have now discovered something else in connectio with a problem I was > having. Yesterday I realised that some machine from our ISP [machine A] > was sending us packets that were getting droped by the firewall > originating from port 80 and going to ports ranging from 34000 to 37xxx. > At first I thought it was a port scan being done on the firewall. Then I > thought it was time-out backward connections being blocked so I increased > the UDP time out. The packets were going to our mail server and direct to > the firewall. > > Now the mail server has both a legal and illegal address [using static > source/dest NAT]. After digging thru the log files some more, I realised > that our mail server was doing DNS queries to machine B. The secondary > DNS server for the our mail server is machine B. > > Turns out that our ISP has a DNS server cluster. Machine B being the > virtual/primary [whatever] address for the DNS cluster. Now what happens > is that when our mail server does a DNS query to machine B, machine A > answers the query and because machine A does not have a valid connection > in the state table, the packets are being dropped. > > Now, how do I get around this problem?? Is it possible to fix this?? > > __________________________________________________________ > Langa Kentane | TEL: (011) 290 3218 > Security Administrator | Cell: 082 606 1515 > DISCOVERY HEALTH | http://www.discoveryhealth.co.za > __________________________________________________________________ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
