[ previous ] [ next ] [ threads ]
 
 From:  Christiaens Joachim <jchristi at oce dot be>
 To:  "'Michael A. Alderete'" <lists dash 2003 at alderete dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Firewall rules to allow DNS server in DMZ
 Date:  Thu, 26 Feb 2004 11:54:47 +0100
> -----Original Message-----
> From: Michael A. Alderete [mailto:lists dash 2003 at alderete dot com]
> Sent: donderdag 26 februari 2004 10:59
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Firewall rules to allow DNS server in DMZ
> 
> 
> [Reposting because there was no response. If I've left 
> critical information out, could you let me know? Thanks!]
> 
> I have set up my DNS server in m0n0wall's DMZ, using 1:1 NAT, 
> with my server at 192.168.2.2 on the DMZ network. I've set up 
> the appropriate Proxy ARP settings, and what I think should 
> be the correct firewall settings to allow outside clients to 
> resolve my domains by accessing my DNS server. And most of 
> the time it works, I receive mail, handle web requests, etc., 
> as expected.
> 
> However, I do seem to regularly get blocked packets in my 
> firewall logs for what looks like legitimate DNS 
> requests/responses. Here are some examples from earlier today:
> 
> 11:27:44.071595 sis2 @0:20 b 192.168.2.2,53 -> 
>                              209.88.69.119,42211 PR udp len 20 270 IN
> 
> 11:24:55.502349 sis2 @0:20 b 192.168.2.2,53 -> 
>                              205.160.233.2,34975 PR udp len 20 275 IN
> 
> 11:17:12.403982 sis2 @0:20 b 192.168.2.2,53 -> 
>                              165.121.1.2,32946 PR udp len 20 270 IN
> 
> 11:16:20.709751 sis2 @0:20 b 192.168.2.2,53 -> 
>                              209.20.130.77,13821 PR udp len 20 270 IN
> 
> 11:16:17.523978 sis2 @0:20 b 192.168.2.2,53 -> 
>                              69.10.134.194,28808 PR udp len 20 218 IN
> 
> Here are the relevant lines from my config.xml file (I can 
> send the full file if it's required to diagnose):
> 
>     <filter>
>         <rule>
>             <type>pass</type>
>             <interface>wan</interface>
>             <protocol>tcp/udp</protocol>
>             <source>
>                 <any/>
>             </source>
>             <destination>
>                 <address>192.168.2.2</address>
>                 <port>53</port>
>             </destination>
>             <descr>Incoming DNS lookups &amp; zone xfers</descr>
>         </rule>
>        [...]
>         <rule>
>             <type>pass</type>
>             <interface>opt1</interface>
>             <protocol>tcp/udp</protocol>
>             <source>
>                 <address>192.168.2.2</address>
>             </source>
>             <destination>
>                 <any/>
>                 <port>53</port>
>             </destination>
>             <descr>Outgoing DNS lookups</descr>
>         </rule>
>     </filter>
> 

Is it me, or do I see these blocked packets going OUT on port 53, where the
rule (the 2nd, on OPT1) permits only port 53 as a destination?

> [Feature note: it would be nice for the Firewall: Rules 
> screen to (a) number the user's rules, so you can actually 
> know the numbering scheme, and (b) provide static-but-visible 
> details of the default rules.]

I would like this one too :-)

Joachim


-----------------------------------------------
MISSION STATEMENT 
-----------------------------------------------
Oce enables its customers to manage their documents efficiently and
effectively by offering innovative print and document management products
and services for professional environments.

-----------------------------------------------
DISCLAIMER 
-----------------------------------------------
This e-mail message and any attachment are intended for the sole use of the
recipient(s) named above and may contain information which is confidential
and/or protected by intellectual property rights.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form) by
other persons than the designated recipient(s) is prohibited.

If you have received this e-mail in error, please notify the sender either
by telephone (0032-2-729.48.11) or by e-mail and delete the material from
any computer.
Oce-Belgium/Oce-Interservices is nor responsible for the correct and
complete transfer of the contents of the sent e-mail, neither for the
receipt on due time.  This e-mail message does not bring about a contractual
obligation for Oce-Belgium/Oce-Interservices.

Thank you for your cooperation.

For further information about Oce-Belgium/Oce-Interservices please see our
website at www.oce.be

-----------------------------------------------