Odd behavior with blocked DNS

Tue, 08 Aug 2006 13:49:17 -0700 

        We allow for stateful DNS queries initiated from behind our firewall,
but we block incoming DNS queries (since we don't have our own DNS server)
with...

 block in quick on fxp0 proto tcp/udp from any to any port = 53  head 53
 block return-icmp-as-dest(port-unr) \
  in log quick proto udp from any to any                        group 53
 block return-rst in log quick proto tcp from any to any        group 53

Our firewall doesn't do NAT (since it's running as a bridge).  It's running
under OpenBSD 2.8 w/ IPF v3.3.18 (184).  (I know this is incredibly old and
probably dangerous, but at least it's not accessible to the Internet.)

        Despite the above rules, TCP port 53 SYN packets are apparently making
it past the firewall, since I'm seeing RST (reset) packets being sent out in
response.  (We have "flow logs" from a higher level on our network to show the
SYN packets coming in, so we're confident the RST packets are, in fact, being
sent in response to those and not as the result of some internal address
spoofing or other internal source.)  FWIW, our outgoing rules for port 53 look
like this:

 block in quick on fxp1 proto tcp/udp from any to any port = 53   head 1053
 pass  in quick proto udp from $local_subnet to any \
  keep state keep frags                                          group 1053
 pass  in quick proto tcp \
  from $local_subnet to any flags S/SAFR keep state keep frags   group 1053
 block return-icmp-as-dest(port-unr) \
  in log quick proto udp from any to any                         group 1053
 block return-rst in log quick proto tcp from any to any         group 1053

(This is cleaned up for readability and obscured a little bit.)  I seem to
recall reading about a "keep state bug" with older versions of IPF, but I
don't recall any details.  Could that be the explanation here?  Oddly enough,
I just tried a "telnet <local-IP> 53" from a Windows XP system off-site, and
the firewall blocked and logged the SYN packet right away.  What's with this
apparent non-deterministic behavior (or is it tied to the aforementioned "keep
state bug")?

Thanks,
Mike
-- 
         Michael T. Davis  (Mike)        |    Systems Specialist: CBE,MSE
    E-mail: [EMAIL PROTECTED]   | Departmental Networking/Computing
           -or- [EMAIL PROTECTED]          |     The Ohio State University
 http://www.ecr6.ohio-state.edu/~davism/ |     197 Watts, (614) 292-6928

Reply via email to