EFW Support

Support => General Support => Topic started by: Assistenza Merqurio on Tuesday 29 September 2015, 08:45:55 pm


Title: Endian Firewall block dns resolution,when i apply new firewall rules
Post by: Assistenza Merqurio on Tuesday 29 September 2015, 08:45:55 pm
This issue is actually blocking the production environment.

We are running Endian Firewall Community 3.0.5-beta1 on a vSphere ESXi 5.5 host. The server has several red connections (4) to wan and 2 local green and blue. The VM has 3GB RAM and 8vcpu, 7 vmxnet3 adapters and is hosted on a >150MB/sec datastore.

We are having issues each time after apply a new outbound firewall rule, 2 to 4 minutes after apply, dns resolution starts failing for 2-4 minutes than it just comes back. We are runnning no routes nor traffic shaping, no dns proxies no specific FW rules about dns, just the outbound rule SRC green+blue DST red DPT 53TCP+UDP action ALLOW. We have different DNS Servers specified per uplink and they all fail to resolve until the 2-4 minutes period has last. While not resolving names, no need to say that everything else of our networking keeps on working, active sessions like ssh are not dropped, every resource relying on a cached name resolution keeps on working at the application level, but if you try to access a resource who's name has not yet been resolved you get a "dns request timed out", as well as forcing name resolution throug dig/nslookup.

Title: Re: Endian Firewall block dns resolution,when i apply new firewall rules
Post by: Assistenza Merqurio on Friday 09 October 2015, 12:05:47 am
after testing we came to the following conclusion

We had rules for ICMP and DNS down around 40th position.
We bring them up and found the problem was gone, every apply stopped disconnecting us.

We understood why, too.
complex outbound firewall rules like:

SRC (20 local ips list)
DST (15 public subnets list)
SERVICE TCP
DST PORTS (10 ports list)

will,

1) slow down the ruleset loading
2) appear to be partially applied for long (minutes) periods after pressing APPLY
                (for instance, we notice the rules working for the first ip of the list and after minutes starts working for the last ip of the rule)
3) when 2. happens, rules below the "complex" rule will not work as well.

We finally came to the point that Endian Community is unable to meet our requirements as the outbound configuration                policy gets more complicated.
Right or wrong?

How can we further diagnose the issue we're facing?


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media