firewall blocking 53
David Botham
dns at botham.net
Wed Aug 7 19:52:36 UTC 2002
[clip...]
> >
> It's UDP; there's no facility for closing the connection that the
> firewall can use to understand whether the name server has given up.
> If the name server sends my home machine a query (i drop port 53
> inbound, along with almost everything else), that query will time out
on
> the name server, but from what's been said of FW-1 here, the firewall
> has no way of knowing that, and in this configuration it cuts off the
> name server. "That's bad, Gir."
>
> > If he pushed up the default timeout on the nameserver, but didn't
talk
> to
> > the firewall folks about services that traverse the firewall (what
> decent
> > firewall doesn't implement a timeout on dead/waiting connections?),
then
> the
> > misconfiguration is on the nameserver end.
> >
> No, the misconfiguration is in deciding that a timed out UDP session
> should cause the name server to be blocked. You can time out UDP if
you
> want; it's probably even a good idea. But using the fact that a
datagram
> from your internal name server to a remote machine's port 53 timed out
> to decide to block further communication from that server, well, I
stand
> by my original statement. You just shot yourself in the foot. The
Denial
> of Service attack is left as a trivial exercise for the reader.
I agree with Pete. If the fw blocks all replies after the first
timeout, even if the name server sends additional queries, then the fw
is broke (or at least sucks). However, I do not think that FW-1
operates that way. Here is what Checkpoint has to say about the options
it uses to control UDP "state":
**********quote*************
Virtual Session Time-outs
VPN-1/FireWall-1 secures connectionless services using the concept of a
"virtual session", creating a connection context for these services.
Once the specified time has elapsed, the communication is assumed to
have ended and the reply channel is closed
UDP Virtual Session Timeout - Specifies the amount of time a UDP reply
channel may remain open without any packets being returned.
ICMP Virtual Session Timeout - An ICMP virtual session will be
considered to have timed out after this time period.
Other IP protocols virtual session timeout - A virtual session of
services (which are not one of the following: TCP, UDP, ICMP)
will be considered to have timed out after this time period.
Stateful UDP: These properties define the defaults for UDP services that
are not defined in the Check Point Services Manager. For UDP services
defined in the Services Manager, the properties are defined on a
per-service basis in the Advanced UDP Service Properties window
Accept stateful UDP replies for unknown services - Specifies if UDP
replies are to be accepted. To specify that no UDP replies will be
accepted, uncheck Accept stateful UDP replies for unknown services. If
Accept stateful UDP replies for unknown services is checked, then
Accept stateful UDP replies from any port for unknown services specifies
from which ports to accept UDP replies.
Accept stateful UDP replies from any port for unknown services - If
checked, UDP replies will be accepted from any port. Otherwise, UDP
replies will be accepted only from the port to which the original
communication was sent.
*********end quote***********
I think that the use of query-source will fix this problem in the end.
Dave...
>
> -Pete
>
>
> -P.
More information about the bind-users
mailing list