firewall blocking 53
Eric L. Howard
elh at outreachnetworks.com
Wed Aug 7 18:04:22 UTC 2002
At a certain time, now past, Pete Ehlke spake thusly:
>
> On Wed, Aug 07, 2002 at 01:36:22PM -0400, Eric L. Howard wrote:
> >
> > This timeout is something that you can configure in Firewall-1. Look under
> > the properties for your rule-set. 40 *seconds* is a long time to wait for
> > return traffic...
> >
> Most of the DNS is UDP traffic. It's expected that there will sometimes
> be timeouts.
40 seconds is still a long time to wait for a reply packet. Whether that
packet is delivered via UDP or as part of a TCP session...
So many things could have happened to a packet/session in 40 seconds, that
the timeout has got to be set somewhere.
> If you've set up Firewall-1 to dynamically block ports on your name
> server based on the fact that it's sending UDP datagrams that don't get
> replied to, then you have shot yourself in the foot. Pinning your query
> source-port won't help at all.
> The right answer here is "Don't do that".
Firewall-1 by default is (was?) set to 40 seconds as the UDP timeout.
Aiding in his ability to nail down the timeout window. This is not
necessarily a misconfiguration on anyone's part...
~elh
--
Eric L. Howard e l h @ o u t r e a c h n e t w o r k s . c o m
------------------------------------------------------------------------
www.OutreachNetworks.com 313.297.9900
------------------------------------------------------------------------
Advocate of the Theocratic Rule
More information about the bind-users
mailing list