I am at a large corporation. I am in charge of a project that involves, among other thing, DNS. There is a nameserver for an internet domain that as far as I can tell is not being allowed to talk to the internet. I politely point this out and the moron in charge of the firewall says no it can talk to the internet and after some back and forth, in which every exchange he adds that there is nothing wrong with the firewall, he gives me a screen print of a GUI that shows port 53 open to recieve from the outside. What kind of a sorry ass network guy uses the GUI? It is a firewall, not a Mac, get a clue and use the CLUI. He also touts as proof the server talks to the outside that it he is seeing hits on port 53. How the hell does that prove it can answer? He tells me that it doesn’t need to have 53 open to send anyway because the answers come back on the same path the queries come in. GET A CLUI THIS IS UDP YOU ASSHOLE. UDP does not maintain the session. UDP means you send stuff and hope for an anser, but you don’t maintain an open connection. He is such a pathetic luser that he doesn’t understand UDP or the fact that a DNS server may have to initiate a query to another server to look up another domain? I asked for logs that show the traffic coming out of the DMZ, knowing full well they will be blank. He claims to be too busy, and the firewall wouldn’t have those logs anyway, and no sniffer is available. WHAT? A firewall that can’t show any record of a specific port and IP address traffic going out? No sniffer available? A multibillion dollar company has no ability to check outgoing traffic? He expects me to believe that there is no laptop we can slap netmon on and check this out? This is not my little pet problem, this is a public domain. No one has complained because the other DNS is up, but what happens if something happens to it? First he says that I must have my server misconfigured and then the does a lookup to prove nothing is wrong. OF COURSE THAT WORKED IT WAS FROM THE INSIDE! Oddly enough, most public queries for these domains are going to come from the outside and MY DNS SERVER CAN’T ANSWER because the firewall is not letting it. I show him a lookup from a client on the internet that fails, I show the client can lookup other names he claims zone alarm is on that and when he turned it off, the lookups succeeded. FUCKING LIAR!!! IT DID NOT! I was able to mail my lookup to myself because I could login to my webmail BY DOMAIN NAME. ARE YOU TELLING ME THAT YOU HAD ZONE ALARM CONFIGURED TO BLOCK ONLY MY DNS SERVER???
I make a sweet reply that I need the logs, whether by firewall, or through sniffer because if my server is badly misconfigured, I need to see the packets that are failing to diagnose the problem. He still refuses.
PS
WHO WAS THE FREAKING IDIOT THAT DECIDED MASTER/SLAVE WAS A GOOD THING TO PUT INTO A COMPUTER PROTOCOL. I felt like a right ass talking to someone who sounded black (not the asshole in the above rant, that ass is white) about my slave not talking to its master. I felt as tactless as the Bursar mentioning billy goats to the troll at the bridge.
Yeah, I read about that. Not the way to change the protcol, but a worthy sentiment IMO. There was no need to use that language and being computer related, they can hardly argue historical tradition and whatnot.
You want to understand the OP? Imagine being in a hotel room and when you call anyone outside the hotel, you can’t. You call the front desk, they can hear you, call other rooms, they can hear you, but try to call pizza hut, and you can’t. What is more, when someone from the outside calls your room, you can hear them, but they can’t hear you. Then the frontdesk clerk claims that it must be your phone, then claims since he can hear you, your phone is fine so quicherbichin. You know damn well the little twerp did not flip the switch to allow you to make outside calls despite you giving them your credit card number and paying for the privilege.
I hear ya. I have this asshat (the guy in charge of computer and network security) telling me a couple years ago that I have to shutdown my proxy server. I look at him dumbfounded?! I am at the end of a long WAN link that handles critical mission applications like SAP, email, and internet, and this clown wants me to shutdown the server that saves us about 40% on bandwidth.
“Uh, why do you want me to do that?”
“Because we can’t see who is going where on the internet”
“No problem. I’ll send you a log anytime you want me to, or here is the logon account. Fill you boots.”
“No, the manager (his manager, not mine. Unfortunately, his has balls.) has said this is the way it will be, so do it.” Obviously, he has made this recommendation and isn’t interested in hearing a rational argument about it.
Now I am actually higher up on the ladder than he is, but I work in a different division than corporate IT, so am pretty much ignored as having any sort of opinion. Unfortunately, I am also the only one who seems to have a clue. So, fine. I shut down the proxy server.
I go back to Calgary and am in the office and the security guy climbs down out of the tree and makes this declaration, “Yeah, that proxy server was generating most of the internet traffic at your site”.
Me I’d be surprised if there was ANY internet traffic that wasn’t going through the proxy server because there was no way they could get across the WAN to the internet otherwise. The firewall blocked every other address but that one.
So, I ask him for some reports as to internet usage. Nope that is strictly controlled by his boss and only he can okay items like this. I ask to my neutered boss to get me the reports so I have a hope of kicking off guys surfing and not working. Well, we know how that went. I have no idea who is using what bandwidth and no way to correct anything if people start to complain that they can’t get their job done.
Fucking moron who doesn’t understand how networks actually work or what a proxy server is and why you’d want it on a limited fucking bandwidth connection. And fuck the even bigger moron who places a computer illiterate in charge of security and then only listens to him as to how things should work, never once stopping to ask the guy in the field why he has a particular piece of equipment on his system!. :rolleyes:
It is a strange world I live in. We pay all the bills and yet have no say in how it is spent.
You see my life is controlled by specialists who don’t talk to each other, or know the big picture, and figure that because they are so knowledgeable in their own field, that it translates to all fields. In addition to that it is a large oil company where accountants and lawyers are held in high regard and engineers spend large amounts of time in budget meetings instead of doing the stuff they were trained for. It is lucky that the oil price is high.
lee, I strongly suggest a CYA email to your supervisor and his explaining the situation. That way maybe you won’t take the fall when the scheduled downtime comes for the other server and you have NO DNS!!!
Jeez. Idjits. People like that shouldn’t even be working in IT, and yet IT has so many of them…
Depending on the make of firewall, he may well be right.
For example, a Cisco PIX firewall implicitly allows all traffic from going from a high security interface to a lower security interface. I.E., traffic from the inside interface is allowed to the outside interface without needing a specific rule allowing it.
If you want to e-mail me the relevant info I can test a couple queries for you.
Your statement is true provided that you have not defined an access group on an interface. The moment you define an access group on an interface, the “default” behavior you describe is overridden, and the access control list you assign to that interface takes over. If the packet falls through the ACL without matching, the packet is denied, without any regard to the security levels of the interfaces involved.
Since conduits are officially deprecated in 6.0 and later and Cisco is encouraging everyone to use access lists for access control, most PIXen in recent deployment will not show the behavior you talk about.
In my opinion, this constitutes a bloody stupid change by Cisco, but, hey, Cisco knows best, right?
The thing is, the crux of the matter is that the DNS server responds normally from queries made from the inside and is silent to those made from the outside. Now, it could be that the DNS server is set up wrong, I have checked everything that I can think of so far. I did not configure it, so I can’t say that it is correct. I have reports that it was working, but that was on another network. However, it seems more likely that there is a networking issue and the only one that can fix that has his head up his ass. He won’t work with me and he won’t prove me wrong. WHICH I WOULD WELCOME. If it were me and some weenie were whining that my equipment was misconfigured, I would have a log to him so fast showing my stuff was set up correctly his head would spin.
Actually, we have a PIX 520 running 6.3(3). The guy in charge of the firewall, however, doesn’t quite understand ACLs, and as such we’re still using conduits. I’d like to change it, but I can’t.
IT has no shortage of poseurs. And as such I imagine there are a fair number of PIX out there that still follow the implicit outbound allowed rule. I think I’ve read that the next release of the PIX software will completely desupport the conduit commands. I wonder how many will blindly perform an update…
My 520 still uses conduits, but that’s because it’s a 520 and therefore has been in continuous use since the dawn of time. The 515 I have at the other office uses access lists, because it was deployed only recently and came with 6.1(3) installed.
I’m simply not going to upgrade the 520. It will be retired at the end of June and sent to live in the home for wayward network hardware after that. It will never see the death of conduits. Poor thing.
