Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 01 December 2024, 07:37:52 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Endian Firewall block dns resolution,when i apply new firewall rules
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Endian Firewall block dns resolution,when i apply new firewall rules  (Read 10622 times)
Assistenza Merqurio
Jr. Member
*
Offline Offline

Posts: 2


« on: Tuesday 29 September 2015, 08:45:55 pm »

This issue is actually blocking the production environment.

We are running Endian Firewall Community 3.0.5-beta1 on a vSphere ESXi 5.5 host. The server has several red connections (4) to wan and 2 local green and blue. The VM has 3GB RAM and 8vcpu, 7 vmxnet3 adapters and is hosted on a >150MB/sec datastore.

We are having issues each time after apply a new outbound firewall rule, 2 to 4 minutes after apply, dns resolution starts failing for 2-4 minutes than it just comes back. We are runnning no routes nor traffic shaping, no dns proxies no specific FW rules about dns, just the outbound rule SRC green+blue DST red DPT 53TCP+UDP action ALLOW. We have different DNS Servers specified per uplink and they all fail to resolve until the 2-4 minutes period has last. While not resolving names, no need to say that everything else of our networking keeps on working, active sessions like ssh are not dropped, every resource relying on a cached name resolution keeps on working at the application level, but if you try to access a resource who's name has not yet been resolved you get a "dns request timed out", as well as forcing name resolution throug dig/nslookup.
Logged
Assistenza Merqurio
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Friday 09 October 2015, 12:05:47 am »

after testing we came to the following conclusion

We had rules for ICMP and DNS down around 40th position.
We bring them up and found the problem was gone, every apply stopped disconnecting us.

We understood why, too.
complex outbound firewall rules like:

SRC (20 local ips list)
DST (15 public subnets list)
SERVICE TCP
DST PORTS (10 ports list)

will,

1) slow down the ruleset loading
2) appear to be partially applied for long (minutes) periods after pressing APPLY
                (for instance, we notice the rules working for the first ip of the list and after minutes starts working for the last ip of the rule)
3) when 2. happens, rules below the "complex" rule will not work as well.

We finally came to the point that Endian Community is unable to meet our requirements as the outbound configuration                policy gets more complicated.
Right or wrong?

How can we further diagnose the issue we're facing?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.047 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com