Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 15157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Firewall... oddity detected in firewall. Help...

TheNorthern_Light

UTM Firewall... oddity detected in firewall. Help...
Here is the two lines I'm referring too:

23:00:08 DNS request UDP 192.168.x.66 : 51805 202.112.0.44 : 53 len=70 ttl=128 tos=0x00 srcmac=94:de:80:27:4e:2f dstmac=00:25:90:f2:cb:67

23:00:08 Country blocked UDP
192.168.x.66 : 51805 202.112.0.44 : 53 len=70 ttl=127 tos=0x00 srcmac=94:de:80:27:4e:2f dstmac=00:25:90:f2:cb:67

As you can see, first row, my Internal DNS server (x.66) accepts and forwards a DNS request to the 202.112.0.44 address and the firewall allows it. Then immediately afterwards, it tries again, however this time it gets blocked.

I am unable to figure out why this is happening, and what is causing it.

I have endpoint protection enabled on the DNS server, and no errors/warnings have been trapped. I've looked at my DNS logs on the DNS server, and I do not detect anything odd as well.

Any suggestions?



This thread was automatically locked due to age.
  • 0

    Your UTM is probably configured for China country blocking, check in Network Protection -> Firewall -> Country Blocking.

  • 0
    Oliver, when posting lines from the Firewall log, always show the lines from the full Firewall Log file. Alone among the logs, the Firewall Live Log shows abbreviated information in a format easier to read quickly. Normally, one only can solve problems with the complete log lines.

    Cheers - Bob
  • 0
    Ok, as per the suggestion:
    Here is an example of the problem again, but from the full firewall logs:
    "2015:11:22-00:01:08 gateway ulogd[1364]: id="2014" severity="info" sys="SecureNet" sub="packetfilter" name="DNS request" action="DNS request" fwrule="60011" initf="eth1" srcmac="94:de:80:27:4e:2f" dstmac="00:25:90:f2:cb:67" srcip="192.168.x.66" dstip="202.112.0.44" proto="17" length="70" tos="0x00" prec="0x00" ttl="128" srcport="51932" dstport="53"
    2015:11:22-00:01:08 gateway ulogd[1364]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth1" outitf="ppp0" srcmac="94:de:80:27:4e:2f" dstmac="00:25:90:f2:cb:67" srcip="192.168.x.66" dstip="202.112.0.44" proto="17" length="70" tos="0x00" prec="0x00" ttl="127" srcport="51932" dstport="53"
    "
    Yes, I know I have country blocking enabled, what I'm curious about, is how it seems to succeed on first try, and is blocked subsequently via the GEOIP. However, what I'm wondering is two fold:
    1) Why wasn't it blocked on the first attempt?
    2) How can I determine where these DNS requests are coming from, and how to reduce the volume? I seem to get a ton of requests to/from china, even though, I only have 2 workstations, 2 cell phones, and a XBMC box (exluding my DNS server itself).
  • 0 in reply to TheNorthern_Light

    action="DNS request" fwrule="60011 => You also have 'Log unique DNS requests' selected on the 'Advanced' tab of 'Firewall', so both lines are about the same, singular request.  I would have expected that first line in the Live Log to be on a white background and the second on a red - was that the case?

    The UTM is a "stateful" firewall that does connection tracking, so, instead of blocking "All" contact with China, you may want to block only traffic "From" there, thus allowing you to receive responses to requests sent "To" there.  Once you make that change, you may find that there aren't many requests to China, just a few that were persistently retried.

    Still, it's strange to have DNS requests going to China, so I would do malware scans of your Wintel devices.

    Cheers - Bob