Are you connecting to a load balanced IP on the F5, or the DNS server
itself? If you're trying to do zone transfers (TCP 53 as opposed to UDP
53 for query) then doing a zone transfer to a load balanced IP is going
to cause you problems when some servers get out of sync with the zone
depending on how you architected it. If the F5's are outside the
firewall that this is crossing, then they can also be setup for SNAT,
and your source will change. You didn't say what the IP's were in the
log message. Also, I'm assuming no mention of smart defense, so it's
not the DNS protocol inspection that's clobbering it, but that's
something to check. If these are Windoze servers doing AD replication
of DNS, they'll use TCP 53, but what they push in no way resembles
normal DNS zone transfers, and the smart defense settings are right to
clobber the traffic. About your only option for Windoze is to turn off
the DNS checks to let it go through.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Grandad
Sent: Monday, June 27, 2005 10:24
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [SPAM] [FW-1] TCP 53 through Firewall-1
I'm running Firewall-1 R55W on Nokia appliance. As a test, I ended up
creating a rule at the top of the rulesbase with straight TCP port 53
service (no protocol definitions), all involved DNS servers defined as
normal Node objects and put them all in both source and Dst fields.
I've enabled logging for everything I can think of, i.e. for out of
state packets, implied rules and the explicit aformentioned DNS rule.
When connections are attempted, Firewall-1 shows a drop packet on rule
1 (the explicit DNS rule). No info in the info field. The connections
fail and explanation why. I'm trying to get an fw monitor output but not
sure if this will tell me anything.
One thing worth mentioning here is that there are 2 F5 nodes upstream
from the Firewall-1 machine that perform NAT.
Any ideas on how to get this working would be greatly appreciated.
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================
**********************************************************************
The information contained in this communication is
confidential, is intended only for the use of the recipient
named above, and may be legally privileged.
If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly
prohibited.
If you have received this communication in error,
please re-send this communication to the sender and
delete the original message or any copy of it from your
computer system. Thank You.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
