firewall blocking 53
Armin Safarians
armin.safarians at safeway.com
Wed Aug 7 18:53:20 UTC 2002
Unless I'm reading this wrong, I think the conversation has moved off of
the actual timeout in question.
The timeout my problem is with is not the one for Reponses coming back
for a query.
My issue is when the query goes out on a high port, the firewall see the
port and establishes a connection.
All the queries sent after that one is on the same high port, if there
are no queries sent for 40 seconds, the firewall will blocks the
responses back to the port. I don't have any problems with the timeout
for a query to get back to me.
AMS :-)
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On
Behalf Of Pete Ehlke
Sent: Wednesday, August 07, 2002 11:26 AM
To: bind users
Subject: Re: firewall blocking 53
On Wed, Aug 07, 2002 at 02:04:22PM -0400, Eric L. Howard wrote:
>
> At a certain time, now past, Pete Ehlke spake thusly:
> >
> > On Wed, Aug 07, 2002 at 01:36:22PM -0400, Eric L. Howard wrote:
> > >
> > > This timeout is something that you can configure in Firewall-1.
> > > Look under the properties for your rule-set. 40 *seconds* is a
> > > long time to wait for return traffic...
> > >
> > Most of the DNS is UDP traffic. It's expected that there will
> > sometimes be timeouts.
>
> 40 seconds is still a long time to wait for a reply packet. Whether
> that packet is delivered via UDP or as part of a TCP session...
>
> So many things could have happened to a packet/session in 40 seconds,
> that the timeout has got to be set somewhere.
I completely agree. *Applications* should set a timeout; named's default
is 30 seconds. And there might be certain paranoid situations in which a
firewall administrator might want to dynamically block random ports that
send datagrams that never get replied to- there are certainly various
badguy applications that are known to communicate via unacknowledged DNS
or ICMP packets, for example. But you've not convinced me that this is a
good thing to be applying to your internal name servers, which due to
the nature of the DNS *will* sometimes emit queries that do not get
responded to.
>
> > If you've set up Firewall-1 to dynamically block ports on your name
> > server based on the fact that it's sending UDP datagrams that don't
> > get replied to, then you have shot yourself in the foot. Pinning
> > your query source-port won't help at all. The right answer here is
> > "Don't do that".
>
> Firewall-1 by default is (was?) set to 40 seconds as the UDP timeout.
> Aiding in his ability to nail down the timeout window. This is not
> necessarily a misconfiguration on anyone's part...
>
Well, if it cuts off services that are business critical and not meant
to be cut off, then it's a misconfiguration. Full stop.
-P.
"WorldSecure Server <safeway.com>" made the following
annotations on 08/07/02 13:00:21
------------------------------------------------------------------------------
Warning:
All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately.
==============================================================================
More information about the bind-users
mailing list