Zywall blocks clients
We run an Open Directory server on a mac mini. This mac mini is also the DNS for our VLAN (192.168.3.100-255).
On most computers the internet runs smoothly. I have, however, two computers that have intermittent problems with getting response from the DNS, because they're not retrieving webpages. I can connect with remote desktop etc. just fine though. The computers all get an IP address from the DHCP (also on the zywall)
Together with the Network guys I figured out the clients that have problems are being blocked for polling one of apple's servers too often.
Zywall Logs:
180 | 2016-06-14 19:46:45 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:53268 | 17.167.146.12:443 | ACCESS BLOCK |
181 | 2016-06-14 19:46:18 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:53253 | 17.167.146.12:443 | ACCESS BLOCK |
182 | 2016-06-14 19:46:09 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:53250 | 17.167.146.12:443 | ACCESS BLOCK |
183 | 2016-06-14 19:46:06 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:53249 | 17.167.146.12:443 | ACCESS BLOCK |
184 | 2016-06-14 19:46:02 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:53220 | 17.167.146.12:443 | ACCESS BLOCK |
209 | 2016-06-14 19:35:38 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:52435 | 17.167.146.12:443 | ACCESS BLOCK |
211 | 2016-06-14 19:35:11 | alert | Security Policy Control | abnormal TCP flag attack detected, DROP | 192.168.3.174:52421 | 17.167.146.12:443 | ACCESS BLOCK |
When these log entries manifest I am also not able to ping to google from these computers.
The network guy was supposed to update the firmware to the zywall tonight. ZyXEL support told us to update it to the latest build before they could help us. Apparently they are aware of the issue.
I tried the solution suggested here, but unfortunately it's not the definite solution..
http://labs.hoffmanlabs.com/node/1920
at ZyXEL's request we upgraded the firmware to the latest version. Didn't help, now it's flagging requests to 2 facebook servers in Ireland.
I've already switched off the APN setting on the server. I also disabled the reachability services. To no avail.
Getting really frustrated here and my customer as well.
I'd hate to have to get a second firewall just to block one IP address.