Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 31 October 2024, 11:14:15 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Endian Firewall block dns resolution,when i apply new firewall rules
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Endian Firewall block dns resolution,when i apply new firewall rules  (Read 9885 times)
Assistenza Merqurio
Jr. Member
*
Offline Offline

Posts: 2


« on: Tuesday 29 September 2015, 08:45:55 pm »

This issue is actually blocking the production environment.

We are running Endian Firewall Community 3.0.5-beta1 on a vSphere ESXi 5.5 host. The server has several red connections (4) to wan and 2 local green and blue. The VM has 3GB RAM and 8vcpu, 7 vmxnet3 adapters and is hosted on a >150MB/sec datastore.

We are having issues each time after apply a new outbound firewall rule, 2 to 4 minutes after apply, dns resolution starts failing for 2-4 minutes than it just comes back. We are runnning no routes nor traffic shaping, no dns proxies no specific FW rules about dns, just the outbound rule SRC green+blue DST red DPT 53TCP+UDP action ALLOW. We have different DNS Servers specified per uplink and they all fail to resolve until the 2-4 minutes period has last. While not resolving names, no need to say that everything else of our networking keeps on working, active sessions like ssh are not dropped, every resource relying on a cached name resolution keeps on working at the application level, but if you try to access a resource who's name has not yet been resolved you get a "dns request timed out", as well as forcing name resolution throug dig/nslookup.
Logged
Assistenza Merqurio
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Friday 09 October 2015, 12:05:47 am »

after testing we came to the following conclusion

We had rules for ICMP and DNS down around 40th position.
We bring them up and found the problem was gone, every apply stopped disconnecting us.

We understood why, too.
complex outbound firewall rules like:

SRC (20 local ips list)
DST (15 public subnets list)
SERVICE TCP
DST PORTS (10 ports list)

will,

1) slow down the ruleset loading
2) appear to be partially applied for long (minutes) periods after pressing APPLY
                (for instance, we notice the rules working for the first ip of the list and after minutes starts working for the last ip of the rule)
3) when 2. happens, rules below the "complex" rule will not work as well.

We finally came to the point that Endian Community is unable to meet our requirements as the outbound configuration                policy gets more complicated.
Right or wrong?

How can we further diagnose the issue we're facing?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.031 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com