EFW Support
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
Friday 01 November 2024, 11:28:32 pm
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
CLICK HERE
for the The official Endian Roadmap and Issue tracker
14248
Posts in
4376
Topics by
6515
Members
Latest Member:
hulteends
Search:
Advanced search
EFW Support
Support
General Support
Endian Firewall block dns resolution,when i apply new firewall rules
0 Members and 1 Guest are viewing this topic.
« previous
next »
Pages:
[
1
]
Author
Topic: Endian Firewall block dns resolution,when i apply new firewall rules (Read 9906 times)
Assistenza Merqurio
Jr. Member
Offline
Posts: 2
Endian Firewall block dns resolution,when i apply new firewall rules
«
on:
Tuesday 29 September 2015, 08:45:55 pm »
This issue is actually blocking the production environment.
We are running Endian Firewall Community 3.0.5-beta1 on a vSphere ESXi 5.5 host. The server has several red connections (4) to wan and 2 local green and blue. The VM has 3GB RAM and 8vcpu, 7 vmxnet3 adapters and is hosted on a >150MB/sec datastore.
We are having issues each time after apply a new outbound firewall rule, 2 to 4 minutes after apply, dns resolution starts failing for 2-4 minutes than it just comes back. We are runnning no routes nor traffic shaping, no dns proxies no specific FW rules about dns, just the outbound rule SRC green+blue DST red DPT 53TCP+UDP action ALLOW. We have different DNS Servers specified per uplink and they all fail to resolve until the 2-4 minutes period has last. While not resolving names, no need to say that everything else of our networking keeps on working, active sessions like ssh are not dropped, every resource relying on a cached name resolution keeps on working at the application level, but if you try to access a resource who's name has not yet been resolved you get a "dns request timed out", as well as forcing name resolution throug dig/nslookup.
Logged
Assistenza Merqurio
Jr. Member
Offline
Posts: 2
Re: Endian Firewall block dns resolution,when i apply new firewall rules
«
Reply #1 on:
Friday 09 October 2015, 12:05:47 am »
after testing we came to the following conclusion
We had rules for ICMP and DNS down around 40th position.
We bring them up and found the problem was gone, every apply stopped disconnecting us.
We understood why, too.
complex outbound firewall rules like:
SRC (20 local ips list)
DST (15 public subnets list)
SERVICE TCP
DST PORTS (10 ports list)
will,
1) slow down the ruleset loading
2) appear to be partially applied for long (minutes) periods after pressing APPLY
(for instance, we notice the rules working for the first ip of the list and after minutes starts working for the last ip of the rule)
3) when 2. happens, rules below the "complex" rule will not work as well.
We finally came to the point that Endian Community is unable to meet our requirements as the outbound configuration policy gets more complicated.
Right or wrong?
How can we further diagnose the issue we're facing?
Logged
Pages:
[
1
]
« previous
next »
Jump to:
Please select a destination:
-----------------------------
Announcements
-----------------------------
=> Project News
=> Latest News and Updates
-----------------------------
Support
-----------------------------
=> General Support
=> Installation Support
=> EFW SMTP, HTTP, SIP, FTP Proxy Support
=> VPN Support
=> Hardware Support
-----------------------------
Development
-----------------------------
=> EFW Wishlist
=> Contribute Your Customisations & Modifications
Page created in 0.031 seconds with 18 queries.
Powered by SMF 1.1 RC2
|
SMF © 2001-2005, Lewis Media
Design by
7dana.com