Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Mail Server / Firewall Problem

To: [email protected]
Subject: Re: [FW-1] Mail Server / Firewall Problem
From: Bill Osterman <[email protected]>
Date: Thu, 25 Apr 2002 17:33:22 -0400
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

the Nokia boxes support tcpdump.  try using that to see if you are getting
packet resends or some such data from your devices.  Checkpoint will produce
those log events when it sees unlooked for packets with the "ack"
(acknowledgement) flag set and has not seen any initial packets sent on that
"connection".  there are plenty of applications that sends these packets out
as the normal course of business, so it is not always an indication of
attack.  without a firewall or someother "intelligent" (nobody laugh please
:) device to squelch it, you would never know.  since you did not make any
changes, i would also find out if your email guys have made any changes
and/or if there server is having problems.

TCPDUMP

A tcpdump command would look something like:

     tcpdump -i eth-s1p1 host a.b.c.203

that would show you all incoming and outgoing traffic on port eth-s1p1 going
to or from that host ip address.

the tcpdump command runs in the following form:

     tcpdump -i <interfacename> options

some of the options include the following:

-->type : type can be host, net or port, the default is host
-->src host <ipaddress>: specify the IP address of the originating host
-->dst host <ipaddress>: specify the IP address of the destination host
-->host <ipaddress>: specify the IP address of the host, for which you want
to monitor all packets-to and from
-->src port <portnumber> : specify the source port of the packets
-->dst port <portnumber> : specify the destination port of the packets
-->port <portnumber> : specify the port, to monitor packets to and from
-->protocol <protocolname> : specify the protocol name used by the packet,
for example, TCP, IP, UDP, ICMP, ARP, RARP, etc


----- Original Message -----
From: "Marlo Montanaro" <[email protected]>
To: <[email protected]>
Sent: Thursday, April 25, 2002 2:56 PM
Subject: [FW-1] Mail Server / Firewall Problem


> Hi,
>
> I'm having some glitches that just started showing up in communications
with
> my mail server.  The mail server is a FreeBSD box running SendMail sitting
> outside our firewall on the live Internet LAN.  Our users do POP3/SMTP and
> HTTP proxy via this box.  (I know, bad design from the old days- the HTTP
> proxy is being eliminated and the new mail server will be in a DMZ.)
>
> Anyway, of course our users hit this box through FW-1 which is V4.1/sp5
> running on a Nokia IP440 with IPSO 3.4.1 plus the Nokia Flows patch.
>
> Everything has been running fine for months.  Around 10 am this morning, I
> started noticing the following error in my mail server messages file:
>
> Apr 25 12:05:43 p1 popper[2166]: I/O Error from  at a.b.c.203
> (g2.mycompany.com): [-1] 60 (Operation timed out); 0 (Undefined error: 0)
>
> ... is one example.  Our firewall is the live a.b.c.203 address, which has
> our network in a hide-NAT config behind it.
>
> Corresponding to this message, I've noticed that the firewall has started
to
> intermittently drop POP-3, SMTP, and HTTP packets whose destination is
this
> mail server/proxy.  The firewall log indicates "unknown established TCP
> packet" on all the drops.
>
> Then it will clear up for awhile...
>
> I'm perfectly willing to reboot both the mail server and firewall in hopes
> it will clear things up, but I'd like to understand what is happening
first,
> if possible.  Is it possible the state table in the firewall is fargled?
> Extended pings will occasionally show a dropped packet or a high ping
time,
> but that is inconclusive to me.  The interfaces on both the firewall and
> mail server show no send/receive errors.
>
> Any insights or thoughts on direction appreciated!
>
> Thanks,
> Marlo Montanaro
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Mail Server / Firewall Problem
  - From: Marlo Montanaro <[email protected]>

Prev by Date: Re: [FW-1] Licensing
Next by Date: Re: [FW-1] Strange connectivity problem!
Previous by thread: [FW-1] Mail Server / Firewall Problem
Next by thread: Re: [FW-1] Login process priority after installing SR client (Novell)
Index(es):
- Date
- Thread