Hi All,

I've got a weird problem.

I can't seem to get the servers in my dmz to talk to my DNS server.

I have a firewall rule in place that says:

Traffic Type: any
client interface: any
server interface: any
source address: any
destination address: any
source port: any
destination port: 53
catagory : [no catagory]

In my mind, that's going to allow ALL port 53 traffic to ANYwhere.

If I turn on logging on that rule, I don't see any traffic from the DMZ at all.
I can hit everything else in the DMZ from the inside (I have a more trusted -> less trusted rule to handle all of that)

I just can't get udp 53 through the firewall to my server, and I can't see in the logs where the traffic is passing OR dropping.

Does anyone have any ideas? I would really appreciate the assistance!

Thanks!

Tfunk

Didya check your System Packet Filter rules. I have an unchecked one called "Accept DNS traffic to the local DNS Server from all interfaces".

mdh -> Now you know I'm dense...

where in the heck would I find that?

The only packet filter I'm aware of is the firewall rack module.

Thanks!

Tfunky

Not dense...just haven't looked there before (or got stung by it). Go to CONFIG -> NETWORKING -> ADVANCED. If you're already in advanced mode, it will show up as a choice there. If not, you'll have to put it in advanced mode. After you do, your tabs will be a bit different.

You were right the check box was unchecked. I checked in and I'm still not getting anywhere.

I noticed on that same page there is a User Packet Filter Rules section at the top.

Do I need to add a rule there as well? I see that there is one that allows traffic from the Internal network to the DMZ. That makes me think that maybe they should.

What do you think? What else could I be missing that's keeping it from passing the traffic?

(thanks for your help by the way)

I think I had to add a packet filter rule to pass UDP 53 from DMZ to internal in one of my tests...

Anyway the firewall rule you posted earlier is way too ambiguous to function. You need to narrow it down and it should pass traffic.

Traffic Type: udp
client interface: DMZ
server interface: Internal
source address: any
destination address: any
source port: any
destination port: 53
catagory : [no catagory]

I changed the firewall rule like you said.

When you say packet filter are you talking about the networking => advanced one or one in the firewall module?

Thanks!

Tfunk

I added the following to the networking -> advanced -> packet rule section...

Destination port = 53
protocol = udp
source interface = dmz
destined local.

I'm still not getting dns traffic through :(

and, just as a sanity check, I've got "Accept DNS traffic to the local DNS Server from all interfaces." checked.

and I've got a rule in the firewall module that says:
pass, UDP,
client interface = DMZ,
Server Interface = Internal,
Source address = any,
destination address = any,
source port = any,
destination port = 53,
category = [no category]

Please tell me I'm not nuts. I've gotta be missing something stupid, right?

well...I kept messing with it and I change the actual packet filter from destined local to destined 192.168.1.x (for the DNS server) and now it's working fine.


That makes me wonder though...Do you have to put the "allow" rules in the packet filter AND the firewall?

If not, when do you put what rules where?

Thanks for your help guys!

No, they don't have to be in both places. The packet filter is playing with IPTables on an OS level. The firewall rules are within the virtual rack inside the UVM. They operate in different places. In the case of DNS there are so many system packet filter rules that play with the traffic I think it is just easier to get it to work in there. Sorry I couldn't be more clear, I did what you are doing a while ago just tinkering and I couldn't remember exactly what I did to get DNS to flow. I do remember it being a bit of an adventure...

lol I love an adventure as much as the next guy ;)

For what it's worth...I had to do the same thing for MySQL to hit our DB server.

Is the best way to figure this kind of stuff out to try it in the firewall, then if it doesn't pass the traffic, add a rule to the packet filter?

Packet filters work for the entire server (at the networking level). Firewall works via Untangle, and may be different from one rack to another (if you end up using Advanced Policy Management). Choose your path, but remember which you chose.

so I shouldn't have had to add a rule for 3306 in the actual packet filter to get the traffic to the inside server?

Just a firewall rule didn't seem to work.

On THIS box I won't have virtual racks, but I'd really like to actually "get" this so that as I deploy more I understand the correct way to do it.

(btw...thanks again you guys...I really appreciate your help!!!)

One of the other larger points to remember is that the packet filter is a rule set applied in IPTables on an OS level. These rules are active once the Linux kernel is in ram and pushing packets. The Firewall runs within the UVM and isn't there until the UVM loads into memory. This can and does leave many configurations without defenses until the unit finishes booting. So for really critical stuff it may be a better idea to use the packet filter. However, as mdh pointed out you lose some flexibility of the firewall module.

Now, as far as the packet filter vs Firewall things goes the ONLY things that have to be be played with in the packet filter are DHCP, DNS, SNMP, OpenVPN (assuming you didn't change the port), SSH, and ICMP. These services have system packet filter rules that may play with the way the rest of the UT services interface with that traffic. Everything else should be good to go without any other muss or fuss within the firewall module itself.

I really think I had to make 3306 in the packet filter before my db servers and webservers could talk.

I'll play with that later and report back what I find. Maybe I just wasn't patient enough.

I'll report back what I find.