FW-1 question
Results 1 to 5 of 5

Thread: FW-1 question

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    177

    FW-1 question

    I'm running FW-1 NG FP2 on RH Linux 7.2. For the past week or so I've been driving myself nuts trying to figure out why my firewall machine was querying our ISPs DNS server non-stop. I thought my machine was compromised so I rebuilt it....twice (good practice, but still annoying). Still the same thing. So today I finally make the connection. Last night I was running ethereal, and checking every dns query sent to the dns server. I wrote them all down. There were a series of queries repeating over and over again. These queries I should point out, were arpa requests, so I got the IP of every dns query. Now...I compared this list of IPs to the firewall log from last night. Every IP on the list 'attacked' my firewall at least once. After the attack, my firewall machine would try to resolve the name of the attacker. Its not just attacker's either. Any machine that tries to contact my firewall in anyway leaves its IP behind....and my firewall tries to resolve it...over and over again. Now this could very well be normal performance, but I don't like it. Is there a way to turn this off? Even if I allow the dns quries to go through, the firewall just keeps sending them over and over regardless of the results it gets. Anyone ever hear of this before?

    Thanks!

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    165
    i'm not sure of a fw-1 ng option to modify the logging options.

    do you need or want external dns resolution on this host?

    if not you could always modify the hosts line in /etc/nsswitch.conf; removing the 'dns' entry and terminating with a '[NOTFOUND=return]'.
    -droby10

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    I'd like to maintain DNS resolution from this machine, but I do not want it to automatically try to reverse lookup every single IP that comes into the firewall. Even if allow outgoing traffic on the firewall, and let it resolve the IPs, it will continue to hammer the DNS server.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    It is more than likely because the log viewer is trying to resolve addresses for every entry in the logs, which is not a good idea IMO.

    In the log viewer choose select --> options, and then uncheck the box that says resolve addresses.

    That should solve your problem....very nice guess Droby....

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    177
    I found the little option under 'Tools' that says quite simply....resolve addresses...either check it...or don't....or completely overlook it, and don't think in a million years that the log viewer might be the thing thats been driving you nuts....
    hehehe

    Hey thanks alot Invictus....again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •