firewall blocking 53

Eric L. Howard elh at outreachnetworks.com
Wed Aug 7 19:37:04 UTC 2002 

At a certain time, now past, Pete Ehlke spake thusly:
> 
> On Wed, Aug 07, 2002 at 02:49:48PM -0400, Eric L. Howard wrote:
> > 
> > Agreed...but if named's default timeout = 30 seconds and Firewall-1 default
> > timeout = 40 seconds...where's the misconfiguration that cuts off services
> > that are business critical?
> > 
> It's UDP; there's no facility for closing the connection that the
> firewall can use to understand whether the name server has given up. 
> If the name server sends my home machine a query (i drop port 53
> inbound, along with almost everything else), that query will time out on
> the name server, but from what's been said of FW-1 here, the firewall
> has no way of knowing that, and in this configuration it cuts off the
> name server. "That's bad, Gir."

Uhmmm...have you never heard of UDP session tracking?  A connection doesn't
have to be FIN'd.  Who said the firewall was tearing down the connection?

> > If he pushed up the default timeout on the nameserver, but didn't talk to
> > the firewall folks about services that traverse the firewall (what decent
> > firewall doesn't implement a timeout on dead/waiting connections?), then the
> > misconfiguration is on the nameserver end.
> > 
> No, the misconfiguration is in deciding that a timed out UDP session
> should cause the name server to be blocked. You can time out UDP if you
> want; it's probably even a good idea. But using the fact that a datagram
> from your internal name server to a remote machine's port 53 timed out
> to decide to block further communication from that server, well, I stand
> by my original statement. You just shot yourself in the foot. The Denial
> of Service attack is left as a trivial exercise for the reader.

Uhmmm...though the means may be lacking in some areas, stateful-inspection
firewalls (e.g. Checkpoint Firewall-1, Sonicwall) build virtual session
information tables to track connectionless protocols (i.e. UDP, RPC).  This
+ configurable timeout values are used for connectionless protocols.
Similar for ICMP...type and code information are read to build info.

Foot looks fine to me...

       ~elh
-- 
Eric L. Howard           e l h @ o u t r e a c h n e t w o r k s . c o m
------------------------------------------------------------------------
www.OutreachNetworks.com                                    313.297.9900
------------------------------------------------------------------------
                    Advocate of the Theocratic Rule

More information about the bind-users mailing list