Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 4 subscribers
  • Views 12954 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM Firewall Being Flooded With UDP Packets

JustinWoolington

Okay I have a Sophos UTM 9 Firewall set up. I have built two BIND DNS servers; one internal for doing recursive queries and one for an external domain with no recursion (so it doesn't act as if it's an open resolver.) 

I've correctly configured DNATs for external as follows:

And the following Firewall Rule:

Everything works fine when turned on, except my Firewall log keeps getting hammered with traffic:

on port 53 from several different random public IPs.

 

I've done some research online, and have read in many cases that this is normal. I have IPS on and configured correctly. UDP flood protection on (in which I've set low to test.) 

I've also configured a group of these public IPs to DROP automatically via Firewall rule. Although the packets are being dropped, I'm still being flooded with UDP:53 attempts, and my firewall log keeps building up in the Gigabytes. However if I turned my NAT rule back on along with Firewall rule, these public IPs are able to get in, with the NAT rule taking precedence over the: 

 rule set.

I have millions of packets being filtered daily, all from random IPs on port 53. My CPU doesn't get pegged out, but everything is slow on the DNS side when these rules are turned back on. Should I be putting the external DNS in a DMZ even though it's recursion is turned off? 

 

Thank you for any ideas!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson

    How about instead of criticizing you give reasonable help and suggestions? Isn't that the whole reason for the community forums?

     

    Thank you. 

  • 0 in reply to JustinWoolington

    Justin, I've helped a lot of folks here over the years, but I had nothing to add to Darrell's answer.  I apologize if you felt that was criticism - none such intended!  It seemed like you were new to this and I wanted to underline the importance of taking his advice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'm new here in the forums yes, but IT no. I'm just looking for good advice. I've been working with Sophos UTM as a Sys Tech/ Admin at my company for about a year now, and recently pieced together a machine and put Home Edition on it and have been running it on my home network. I know there are a lot of angles when it comes to DNS. I myself usually like to start the hard way and work my way down to an easy solution, in the process understanding everything a lot better. I'm basically testing things for the most part, and just wondered what a lot of other people out there do in similar situations. I know it's an easy solution to do DDNS, but I wanted to try and host it myself just because I can. Idk, it's an IT thing I guess. 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?