15.7.2. Firewall becomes very slow with new policy

You compiled and started firewall policy script and then noticed that seemingly every operation on the firewall takes a lot longer than before. For example, it takes forever to log into it using telnet or ssh, different services take a few minutes to start or won't start at all.

Most likely the firewall needs to be able to do DNS lookups but can't. Look in /etc/resolv.conf for the address of the name server it is using and make sure you have a rule in the policy to permit connections to it. Use firewall object in "Source", the name server object in "Destination" and a standard service object group "DNS" in the Service field.

If your firewall runs caching name server and file /etc/resolv.conf lists "127.0.0.1" as a name server address, then you need to permit firewall to talk to itself. Here is how such /etc/resolv.conf file looks like:

    domain your_domain.com
    nameserver 127.0.0.1 

You need to add a rule with the firewall object in both Source and Destination fields and the service object group "DNS" in the Service field to the loopback interface. This rule permits the firewall machine to communicate with the name server running on it, but you need another rule to permit the name server to send DNS queries and receive answers. This rule should have the firewall object in Source, Destination should be set to "any" and the same standard service object group "DNS" should be used in the Service element. Now not only firewall can query the name server process running on it, but the process in turn can send queries to other name servers on the Internet and receive answers.

Here is the rule that should be added to the loopback interface:

Figure 15.2. DNS on loopback

DNS on loopback

Here is the rule that permits the name server process to communicate with name servers on the Internet:

Figure 15.3. DNS on to name servers

DNS on to name servers

Depending on your policy design, you may want to permit all services rather than just DNS on the loopback interface because there are many other processes that need to be able to communicate with the same host, such as X11, RPC and others. The dedicated firewall machine should not run anything unnecessary, so there you may experiment with limiting the number of services in the rule on loopback the interface. On the other hand, if you use fwbuilder to protect a server that runs many different services, permitting any service on the loopback may be a simpler solution.

The next rule permits processes running on the firewall to communicate with other processes running on the same machine on all protocols:

Figure 15.4. Any to any on firewall

Any to any on firewall

 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.