Hi
Is the firewall Linux/SPLAT? If so:
Edit the file $FWDIR/boot/modules/fwkern.conf by adding the line:
allow_dnssec_bit=1
You need to create the fwkern.conf file if you don't have it.
Also note that fwkern.conf is very very picky on syntax.
Reboot the firewall to see that it works.
If IPSO:
At the prompt: modzap allow_dnssec_bit $FWDIR/boot/modules/fwmod.o 1
cpstop, cpstart
Regards,
Torkel
-----Opprinnelig melding-----
Fra: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] På vegne av fwadmin fwadmin
Sendt: 29. september 2005 09:46
Til: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Emne: Re: [FW-1] Antw: [FW-1] FW-1 and Bind 9.3.1
script it and run with cron or ipso schedular.......
>>> choff AT TRUENORTHSOLUTIONS DOT NET 09/28/05 8:49 >>>
Isn't this only effective until a reboot of the firewall? Isn't there some
further modifications that need to be done in order to keep the setting through
a reboot?
Chris
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of fwadmin fwadmin
Sent: Wednesday, September 28, 2005 10:04 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Antw: [FW-1] FW-1 and Bind 9.3.1
fw ctl set int allow_dnssec_bit 1
>>> fwadmin AT DAHL-STAMNES DOT NET 09/28/05 10:15 >>>
We have installed Bind 9.3.1 on a Fedora Core 4 machine inside a FW-1 R54.
When trying to do a DNS lookup for a host on the internet, the firewall log is
filled with a lot of rejected messages:
Attack info: Badly formed DNS
Attack info: Illegal resource record format (request)
Only one of 40-50 requests from the dns server is accepted and the DNS server
was not able to resolv any external names.
I can bypass this problem by defining my own TCP and UDP services for port 53.
Seems like SmartDefence is not that up to date about the DNS protocol.
Will it be a security risk by doing this? Other solutions?
The old DNS server was running Bind 8.2.3 and had non of this problems.
--
Jørn Dahl-Stamnes
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to LISTSERV AT
amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
