WatchGuard x1000 用户指南
Chapter 9: Configuring Proxied Services
158
WatchGuard Firebox System
4
By default, all rules are enabled. You can enable or
disable the rules as you choose to determine which
packet originators are automatically added to the auto-
blocked sites list.
disable the rules as you choose to determine which
packet originators are automatically added to the auto-
blocked sites list.
To be able to select or clear several consecutive rules as a group,
select the first rule, press Shift and select the last rule, and then
select one of the rules between the two selections.
To be able to select or clear several non-consecutive rules as a
group, press Ctrl and select each rule you want.
DNS file descriptor limit
The DNS proxy has only 256 file descriptors available for
its use, which limits the number of DNS connections in a
NAT environment. Every UDP request that uses dynamic
NAT uses a file descriptor for the duration of the UDP
timeout. Every TCP session that uses dynamic, static, or 1-
to-1 NAT uses a file descriptor for the duration of the ses-
sion.
its use, which limits the number of DNS connections in a
NAT environment. Every UDP request that uses dynamic
NAT uses a file descriptor for the duration of the UDP
timeout. Every TCP session that uses dynamic, static, or 1-
to-1 NAT uses a file descriptor for the duration of the ses-
sion.
The file descriptor limit is rarely a problem, but an occa-
sional site may experience slow name resolution and many
instances of the following log message:
sional site may experience slow name resolution and many
instances of the following log message:
dns-proxy[xx] dns_setup_connect_udp: Unable to cre-
ate UDP socket for port: Invalid argument